[TCLUG] DNS and SPF?

Sun Jul 4 05:11:48 CDT 2004

On Sun, Jul 04, 2004 at 03:12:09AM -0500, David Phillips wrote:
> Matthew S. Hallacy writes:
> > Spam does not land in my mailbox, messages returned by qmail,
> > misconfigured postfix, old IIS servers, and a few specialized setups
> > due to an accept *, reject later policy means that I get
> > a daily bombardment  of rejects from remote hosts due
> > to my address being spoofed in everything
> > from 'XXXX STOCK IS ON THE RISE' to virus emails.
> 
> So reject everything with a null envelope sender.

I appreciate seeing what's going on with my mail, filtering/rejecting all
mail with null envelopes would negate that.

> 
> > SPF is not meant to be a spam killer, it's meant to reduce the
> > effectiveness of third party relays (compromised windows
> > boxes, open relays, etc), ie, forged email.
> 
> SPF won't do anything to prevent that.  There will always be domains to
> forge.  Additionally, spammers could simply add SPF records for their throw
> away domains.

I'm well aware that nothing can truely fix qmail's broken-ness.

Spammers adding SPF records to their domains is also not an issue, in
fact, as I said, it will be helpful. (If they register domains to spam from
it gives a datapoint. Maybe it's something DCC related that tags massive spam
from certain domains or something else. Regardless, they won't be sending spam
from weqfasdfe at poptix.net, and I won't receive the reject OR the abuse complaints.

> 
> > Servers with SPF turned on would immediately recognize that
> > poptix.net does not send mail from *.comcast.net, *.verizon.net,
> > or any other large pool of  infected windows machines. This
> > stops _whatever_ is inbound immediately and saves me the headache.
> 
> Ahh.  That is a benefit that I hadn't considered.  Unfortunately, it relies
> on everyone else blocking incoming mail that doesn't match SPF.

One of the primary ISP's I'm concerned about (and a large portion of my
rejects) is AOL, AOL is implementing SPF.

> 
> > 1) There is no reaosn for mail, once it leaves my mail server, to
> > travel through any other servers that are not on the MX list for
> > the destination domain.
> 
> That's fine for you, but what about people who do forward their mail?

If they're forwarding mail then they can tweak their filters to whitelist
that relay A distributed system (again, like DCC/DCC2) would report 
'spammy' domains immediately, score that in spamassassin, etc.

Regardless, this wasn't the point of SPF. If a spammer is spamming from their
own domain, they are no longer spamming from someone else's..

> > spammers registering domains to send mail from
> > is handled by other mechanisms, and provides a more direct link
> > back to the spammer.
> 
> You obviously don't know much about spammers.  It's easy to anonymously
> register domains with fake information.  No one notices until the domains
> are used.  By the time they are terminated or blocked, the spammers have
> switched domains.

I know plenty about spammers, even if its only $4.95 (in bulk) to register
a new domain, they still have to do it. As for 'by the time they are blocked..'
I personally run a few mail servers that get thousands of spam messages per hour,
after the Xth spam from a domain I can happily block that domain entirely for Y
amount of time. A distributed system (again, like DCC/DCC2) would report 
'spammy' domains immediately, score that in spamassassin, etc.

Regardless, this wasn't the point of SPF. If a spammer is spamming from their
own domain, they are no longer spamming from someone else's.

> > 7) Rejecting mail from people who choose to relay mail through
> > unauthorized servers is fine with me. If they cannot be bothered
> > to the proper mail server they can assume
> > the risk of having their mail rejected.
> 
> What if your domain is hosted on your cable modem or DSL service, but your
> IP address is blacklisted?

Add an SPF record that allows mail to originate through your ISP's mail server
that you've configured as a smart host.

-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list