Mailing List Archive

On Thu, Aug 20, 2009 at 17:51, Ryan Sutton<RSutton@filicebrown.com> wrote:
> Hello,
>
> Looking for help with SPF, I think I have set it up incorrectly.
>
> Situation: I'm getting a heavy volume of spam where the From Sender is
> the same as the To Sender. I believe SPF should prevent this spam from
> getting through.
>
> My Setup: Exchange 2003 SP2 Sender ID Filtering enabled with public
> hosted DNS - easydns.com, also using Postini. I have created the
> following SPF record: v=spf1 ip4:192.168.103.0/24 ip4:206.14.xxx.xxx
> ip4:64.18.0.0/20mx include:easydns.com ~all
>
> I edited the public IP of my Exchange server. The /20 block is for
> Postini. Can anyone see something I am doing wrong here?

As covered in the FAQ - SenderID is NOT SPF.

Note that by using ~all you've said (as mentioned at
http://www.openspf.org/SPF_Record_Syntax) to accept, but mark
(SoftFail). If you want mail failing the SPF check to be rejected you
need to:

a) Use "-all"
b) Check SPF records at your MX hosts, configured to reject mail that Fails

To comment on your SPF record we HAVE to know the real domain in
question, it's impossible to help based on false information. Note
that the SPF record should never use RFC1918 addresses, as your
altered record appears to.

Finally, do you send email through Postini, directly to your Exchange
server, or via EasyDNS?

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Hi Rob,

Thanks for the reply. I will remove the private range from the SPF
record. Here is the full unedited SPF record:

v=spf1 ip4:192.168.103.0/24 ip4:206.14.210.88 ip4:64.18.0.0/20mx
include:easydns.com ~all

The domain is h5marketing.com.

Inbound email goes through Postini directly to the Exchange server.
Before using Postini I used easydns, so I can remove that portion know I
supose.

So for the new SPF record it seems like this would work for me:
v=spf1 ip4:206.14.210.88 ip4:64.18.0.0/20mx -all

Do you agree?

Thanks,
Ryan

-----Original Message-----
From: Rob MacGregor [mailto:rob.macgregor@gmail.com]
Sent: Thursday, August 20, 2009 11:19 AM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] Just set up SPF, does not seem to be working

On Thu, Aug 20, 2009 at 17:51, Ryan Sutton<RSutton@filicebrown.com>
wrote:
> Hello,
>
> Looking for help with SPF, I think I have set it up incorrectly.
>
> Situation: I'm getting a heavy volume of spam where the From Sender is

> the same as the To Sender. I believe SPF should prevent this spam from

> getting through.
>
> My Setup: Exchange 2003 SP2 Sender ID Filtering enabled with public
> hosted DNS - easydns.com, also using Postini. I have created the
> following SPF record: v=spf1 ip4:192.168.103.0/24 ip4:206.14.xxx.xxx
> ip4:64.18.0.0/20mx include:easydns.com ~all
>
> I edited the public IP of my Exchange server. The /20 block is for
> Postini. Can anyone see something I am doing wrong here?

As covered in the FAQ - SenderID is NOT SPF.

Note that by using ~all you've said (as mentioned at
http://www.openspf.org/SPF_Record_Syntax) to accept, but mark
(SoftFail). If you want mail failing the SPF check to be rejected you
need to:

a) Use "-all"
b) Check SPF records at your MX hosts, configured to reject mail that
Fails

To comment on your SPF record we HAVE to know the real domain in
question, it's impossible to help based on false information. Note that
the SPF record should never use RFC1918 addresses, as your altered
record appears to.

Finally, do you send email through Postini, directly to your Exchange
server, or via EasyDNS?

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org Modify Your
Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
***********************************************************
IRS Circular 230 Disclosure: As required by U.S. Treasury Regulations
governing tax practice, you are hereby advised that any written tax advice
contained herein was not written or intended to be used (and cannot be used)
by any taxpayer for the purpose of avoiding penalties that may be imposed
under the U.S. Internal Revenue Code.
***********************************************************

CONFIDENTIALITY NOTICE:
This electronic message may contain information that is confidential and/or
legally privileged. Any use, review, dissemination, distribution, or copying
of this transmission by anyone other than the intended recipient is strictly
prohibited. If you have received this message in error, please immediately
notify the sender and/or Filice Brown Eassa & McLeod LLP by telephone at
(510) 444-3131 and delete the original message. Thank you.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On Thu, Aug 20, 2009 at 19:30, Ryan Sutton<RSutton@filicebrown.com> wrote:
> Hi Rob,
>
> Thanks for the reply. I will remove the private range from the SPF
> record. Here is the full unedited SPF record:
>
> v=spf1 ip4:192.168.103.0/24 ip4:206.14.210.88 ip4:64.18.0.0/20mx
> include:easydns.com ~all
>
> The domain is h5marketing.com.
>
> Inbound email goes through Postini directly to the Exchange server.
> Before using Postini I used easydns, so I can remove that portion know I
> supose.

SPF is about how you SEND email, not about how you receive it. Your
SPF record should list the IP addresses/ranges from which the domain
SENDS email.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Ryan Sutton wrote on Thu, Aug 20 2009 at 11:51 am:

> Situation: I'm getting a heavy volume of spam where the From Sender is
> the same as the To Sender. I believe SPF should prevent this spam from
> getting through.
> My Setup: Exchange 2003 SP2 Sender ID Filtering enabled

If you are receiving the spam, your mail server needs to check
for SPF on the incoming messages. Your SPF record is not relevant,
unless they are using your domain.

Note Sender ID is not SPF, see the FAQ.

> hosted DNS - easydns.com, also using Postini. I have created the
> following SPF record: v=spf1 ip4:192.168.103.0/24 ip4:206.14.xxx.xxx
> ip4:64.18.0.0/20mx include:easydns.com ~all

"ip4:64.18.0.0/20mx" needs a space before the MX (if you
published it that way, the entire record is invalid). So you send mail
out using easydns.com mail servers (as well as Postini's)? They use a
lot of servers:

easydns.com. 3600 IN TXT "v=spf1 mx ptr
ip4:205.210.42.0/24 ip4:216.220.40.240/29 ip4:66.207.199.35/32
ip4:64.68.200.0/24 include:myprivacy.ca ptr:opensrs.net
ptr:registrarmail.net ptr:internetsecure.com ~all"



-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Teamwork is essential - it allows you to blame someone else.

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Will SPF prevent the type of SPAM where the spammer has forged my
domains email address? This is confusing to me because SPF prevents
sender forgery, but will it prevent someone sending email to my domain
when they forge my domain address? Maybe SPF is not the right solution
to prevent this?

Thanks,
Ryan

-----Original Message-----
From: Rob MacGregor [mailto:rob.macgregor@gmail.com]
Sent: Thursday, August 20, 2009 11:56 AM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] Just set up SPF, does not seem to be working

On Thu, Aug 20, 2009 at 19:30, Ryan Sutton<RSutton@filicebrown.com>
wrote:
> Hi Rob,
>
> Thanks for the reply. I will remove the private range from the SPF
> record. Here is the full unedited SPF record:
>
> v=spf1 ip4:192.168.103.0/24 ip4:206.14.210.88 ip4:64.18.0.0/20mx
> include:easydns.com ~all
>
> The domain is h5marketing.com.
>
> Inbound email goes through Postini directly to the Exchange server.
> Before using Postini I used easydns, so I can remove that portion know

> I supose.

SPF is about how you SEND email, not about how you receive it. Your SPF
record should list the IP addresses/ranges from which the domain SENDS
email.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org Modify Your
Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
***********************************************************
IRS Circular 230 Disclosure: As required by U.S. Treasury Regulations
governing tax practice, you are hereby advised that any written tax advice
contained herein was not written or intended to be used (and cannot be used)
by any taxpayer for the purpose of avoiding penalties that may be imposed
under the U.S. Internal Revenue Code.
***********************************************************

CONFIDENTIALITY NOTICE:
This electronic message may contain information that is confidential and/or
legally privileged. Any use, review, dissemination, distribution, or copying
of this transmission by anyone other than the intended recipient is strictly
prohibited. If you have received this message in error, please immediately
notify the sender and/or Filice Brown Eassa & McLeod LLP by telephone at
(510) 444-3131 and delete the original message. Thank you.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Steve,

Yes I am receiving spam on incoming mail and yes they are forging my
domain. I am no longer using easydns for outbound mail, just Postini. I
have Postini's large /20 block included in the SPF record.

Thanks,
Ryan

-----Original Message-----
From: Steve Yates [mailto:steve@teamITS.com]
Sent: Thursday, August 20, 2009 12:02 PM
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] Just set up SPF, does not seem to be working

Ryan Sutton wrote on Thu, Aug 20 2009 at 11:51 am:

> Situation: I'm getting a heavy volume of spam where the From Sender is

> the same as the To Sender. I believe SPF should prevent this spam from

> getting through.
> My Setup: Exchange 2003 SP2 Sender ID Filtering enabled

If you are receiving the spam, your mail server needs to check
for SPF on the incoming messages. Your SPF record is not relevant,
unless they are using your domain.

Note Sender ID is not SPF, see the FAQ.

> hosted DNS - easydns.com, also using Postini. I have created the
> following SPF record: v=spf1 ip4:192.168.103.0/24 ip4:206.14.xxx.xxx
> ip4:64.18.0.0/20mx include:easydns.com ~all

"ip4:64.18.0.0/20mx" needs a space before the MX (if you
published it that way, the entire record is invalid). So you send mail
out using easydns.com mail servers (as well as Postini's)? They use a
lot of servers:

easydns.com. 3600 IN TXT "v=spf1 mx ptr
ip4:205.210.42.0/24 ip4:216.220.40.240/29 ip4:66.207.199.35/32
ip4:64.68.200.0/24 include:myprivacy.ca ptr:opensrs.net
ptr:registrarmail.net ptr:internetsecure.com ~all"



-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Teamwork is essential - it allows you to blame someone else.

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org Modify Your
Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
***********************************************************
IRS Circular 230 Disclosure: As required by U.S. Treasury Regulations
governing tax practice, you are hereby advised that any written tax advice
contained herein was not written or intended to be used (and cannot be used)
by any taxpayer for the purpose of avoiding penalties that may be imposed
under the U.S. Internal Revenue Code.
***********************************************************

CONFIDENTIALITY NOTICE:
This electronic message may contain information that is confidential and/or
legally privileged. Any use, review, dissemination, distribution, or copying
of this transmission by anyone other than the intended recipient is strictly
prohibited. If you have received this message in error, please immediately
notify the sender and/or Filice Brown Eassa & McLeod LLP by telephone at
(510) 444-3131 and delete the original message. Thank you.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On Thu, Aug 20, 2009 at 20:06, Ryan Sutton<RSutton@filicebrown.com> wrote:
> Will SPF prevent the type of SPAM where the spammer has forged my
> domains email address? This is confusing to me because SPF prevents
> sender forgery, but will it prevent someone sending email to my domain
> when they forge my domain address? Maybe SPF is not the right solution
> to prevent this?

It will, when your SPF record says to reject FAILing checks (-all) AND
they check SPF records and honour your record's request.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Ryan Sutton wrote on Thu, Aug 20 2009 at 2:10 pm:

> Yes I am receiving spam on incoming mail and yes they are forging my
> domain. I am no longer using easydns for outbound mail, just Postini.
I
> have Postini's large /20 block included in the SPF record.

Then you should remove the "include:easydns.net" from your SPF
record. You only want to list your outgoing mail servers. And when
your are happy with your SPF record
(http://www.kitterman.com/spf/validate.html) then change ~all to -all.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- Catastrophe: a prize for the cat with the nicest buns.

~ Taglines by Taglinator: www.srtware.com ~


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On Thu 20 Aug 2009 06:51:56 PM CEST, Ryan Sutton wrote
> Looking for help with SPF, I think I have set it up incorrectly.

http://old.openspf.org/wizard.html?mydomain=filicebrown.com&submit=Go!

> Situation: I'm getting a heavy volume of spam where the From Sender is
> the same as the To Sender. I believe SPF should prevent this spam from
> getting through.

google postfwd equal sender recipient, this can reject such crap mails
without spf, but if i dont know more about your domain no more help i
can give you

> My Setup: Exchange 2003 SP2 Sender ID Filtering enabled with public
> hosted DNS - easydns.com, also using Postini. I have created the
> following SPF record: v=spf1 ip4:192.168.103.0/24 ip4:206.14.xxx.xxx
> ip4:64.18.0.0/20mx include:easydns.com ~all

bluehost custommer ?

why do you add rfc1918 address space to spf ?

> I edited the public IP of my Exchange server. The /20 block is for
> Postini. Can anyone see something I am doing wrong here?

more info needed


--
xpoint



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

On Thu 20 Aug 2009 09:06:46 PM CEST, Ryan Sutton wrote
> Will SPF prevent the type of SPAM where the spammer has forged my
> domains email address?

yes

> This is confusing to me because SPF prevents sender forgery, but will
> it prevent someone sending email to my domain
> when they forge my domain address?

you seem unsure ? :)

> Maybe SPF is not the right solution to prevent this?

forge my email and reply with what you get :)

--
xpoint



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com