Mailing List Archive

trouble with spoofed email spf not working
I’m new to the SPF concept and having trouble with it. I am getting a lot of spoofed email which appears to come from our domain thereby avoiding our spam filter. This only happens whenever I try to use a mail forwarder such as MailHop. The Spammers send email directly to the secondary MX servers . I thought SPF was supposed to help with this but I cannot seem to make it work it for me. I am using Windows 2003 Server DNS as my primary and DYNDNS as my secondary. I have used the SPF Wizard to help with the text record. Not sure where to go from here.

Sample of my record.
v=spf1 ip4:67.221.119.199/32 a:month mx:salem.k12.va.us ~all

Thanks.

RM

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: trouble with spoofed email spf not working [ In reply to ]
> The Spammers send email directly to the secondary MX
> servers .

That's normal. Secondary MXes are ferquently less well protected than
primaries - so, for example, they usually accept mail for non-existent
accounts. This is why I generally recommend *not* having a secondary for
most mail setups...

> I thought SPF was supposed to help with this but I cannot seem
> to make it work it for me.

It will help - but you need to be explicit about what you want it to do...

> Sample of my record.
> v=spf1 ip4:67.221.119.199/32 a:month mx:salem.k12.va.us ~all

The first thing to notice is that you have ended the record with "~all".
That tells any SPF filters not to reject it - it's a testing mode. You'd
need to change that to "-all" if you want it to be effective.

Your record is also faulty - "month" doesn't resolve for anyone outside
your network, so the record is faulty. You should probably remove both the
"a:month" and "mx:salem.k12.va.us" terms, as (if I've correctly
interpreted what you're trying to do), they'll both point to that same IP
address anyway.

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: trouble with spoofed email spf not working [ In reply to ]
On Mon, Feb 15, 2010 at 14:03, Russ Muncy <rmuncy@salem.k12.va.us> wrote:
> I’m new to the SPF concept and having trouble with it. I am getting a lot of spoofed email which appears to come from our domain thereby avoiding our spam filter. This only happens whenever I try to use a mail forwarder such as MailHop. The Spammers send email directly to the secondary MX servers . I thought SPF was supposed to help with this but I cannot seem to make it work it for me. I am using Windows 2003 Server DNS as my primary and DYNDNS as my secondary. I have used the SPF Wizard to help with the text record. Not sure where to go from here.

Further to Vic's responses - you need to ensure you list the MailHop
server's if you're relaying email through them. You also need to
ensure you're checking SPF records on incoming mail.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: trouble with spoofed email spf not working [ In reply to ]
Thanks Vic. I appreciate your response. I have made changes as you suggested; will wait to see what happens. I am curious how you might advise being able to create some redundancy for your mail server without creating this problem.

Thanks again.
Russ
-----Original Message-----
From: Vic [mailto:spf1@beer.org.uk]
Sent: Monday, February 15, 2010 9:17 AM
To: spf-help@v2.listbox.com
Subject: Re: [spf-help] trouble with spoofed email spf not working


> The Spammers send email directly to the secondary MX
> servers .

That's normal. Secondary MXes are ferquently less well protected than
primaries - so, for example, they usually accept mail for non-existent
accounts. This is why I generally recommend *not* having a secondary for
most mail setups...

> I thought SPF was supposed to help with this but I cannot seem
> to make it work it for me.

It will help - but you need to be explicit about what you want it to do...

> Sample of my record.
> v=spf1 ip4:67.221.119.199/32 a:month mx:salem.k12.va.us ~all

The first thing to notice is that you have ended the record with "~all".
That tells any SPF filters not to reject it - it's a testing mode. You'd
need to change that to "-all" if you want it to be effective.

Your record is also faulty - "month" doesn't resolve for anyone outside
your network, so the record is faulty. You should probably remove both the
"a:month" and "mx:salem.k12.va.us" terms, as (if I've correctly
interpreted what you're trying to do), they'll both point to that same IP
address anyway.

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: trouble with spoofed email spf not working [ In reply to ]
> I am curious how you might
> advise being able to create some redundancy for your mail server without
> creating this problem.

The simple answer is - don't.

The idea behind relaying was that MTAs were only occasionally connected to
the Internet, so machines used to help each other out. This is no longer
the case; most MTAs are pretty much permanently connected, so there is
rarely a need for a backup MX.

If your primary should go down for a while, the sending MTAs will do the
retries. More importantly, senders don't get the false impression that
their mail is on the way to you; they are kept informed. Once your primary
comes back up, the mail gets delivered with minimal additionaly delay, and
everyone is happy.

Note that there are expections to this generality - but most people I've
met are part of it...

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: trouble with spoofed email spf not working [ In reply to ]
Best explanation I've heard.
Thanks.
Russ

-----Original Message-----
From: Vic [mailto:spf1@beer.org.uk]
Sent: Monday, February 15, 2010 9:44 AM
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] trouble with spoofed email spf not working


> I am curious how you might
> advise being able to create some redundancy for your mail server without
> creating this problem.

The simple answer is - don't.

The idea behind relaying was that MTAs were only occasionally connected to
the Internet, so machines used to help each other out. This is no longer
the case; most MTAs are pretty much permanently connected, so there is
rarely a need for a backup MX.

If your primary should go down for a while, the sending MTAs will do the
retries. More importantly, senders don't get the false impression that
their mail is on the way to you; they are kept informed. Once your primary
comes back up, the mail gets delivered with minimal additionaly delay, and
everyone is happy.

Note that there are expections to this generality - but most people I've
met are part of it...

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: trouble with spoofed email spf not working [ In reply to ]
At 14:43 15/02/2010 Monday, Vic wrote:

>> I am curious how you might
>> advise being able to create some redundancy for your mail server without
>> creating this problem.

simply ensure that your backup MX's enforce identical policy for incoming mail as your primaries
{backup MX's not under your direct administrative control should never be used}

ie ensure all use the same DNSBL's
ensure all reject {not bounce} mail to non-existent addresses
ensure all enforce the same SPF checks on inbound email
ensure all perform identical content based filtering {if any}

as for your original question {how to block inbound forgeries of your own domain, SPF isn't even needed for this
{SPF checking is for blocking inbound forgeries of SPF publishing domains, whether yours uses publishes SPF or not}
your MTA's should by policy be able to block all external senders claiming to be you regardless of SPF

{as your own users should only be sending outbound/internal via your submission server {could be the same machine/server but its on port 587 and authenticated not 25}}
so even internal > internal will never be arriving from 'outside'

as for the SPF record

v=spf1 ip4:67.221.119.199/32 a:month mx:salem.k12.va.us ~all

what Vic said

as according to headers
Received: from month.salem.k12.va.us (month.salem.k12.va.us [67.221.119.199]

so a:month is a syntax error and a:month.salem.k12.va.us == ip4:67.221.119.199/32 so unnecessary and as its in your own domain its unlikely to move without your knowledge

mx:salem.k12.va.us == a:mx1.mailhop.org. a:month.salem.k12.va.us a:mx2.mailhop.org.

so could be better/faster written/read as

v=spf1 ip4:67.221.119.199/32 a:mx1.mailhop.org a:mx2.mailhop.org ~all

if and only if you send mail out to the Internet via these mailhop.org servers
{its unusual for backup MX's to be used for outbound mail in any way}

{i do wonder why inbound mail is told to use mailhop.org and only use your server if they are unavailable though??, your server is listed as 2nd preference of 3}





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: trouble with spoofed email spf not working [ In reply to ]
quick followup

also see your SPF record currently is

"v=spf1 mx -all"

i would strongly suggest using the faster alternate as stated earlier

v=spf1 ip4:67.221.119.199/32 a:mx1.mailhop.org a:mx2.mailhop.org ~all

also of course you need to have a corresponding SPF record setup for any helo-identies you use/controll so for

month.salem.k12.va.us.
you should have the SPF record of
v=spf1 ip4:67.221.119.199/32 ~all

so no other server can claim to be month.salem.k12.va.us.
{and so others can verify yours is who it claims to be}



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: trouble with spoofed email spf not working [ In reply to ]
Great information here.
In answer to Alan's question "{i do wonder why inbound mail is told to use mailhop.org and only use your server if they are unavailable though??, your server is listed as 2nd preference of 3}".
This is the suggested configuration of <dyndns.org>. Since they are "supposed" to be providing some Spam and Virus filtering then forwarding on to my MX server.

As Alan mentioned, my MTA does ignore the inbound forgeries when it is operating alone. I only have the problem when attempting to use an "outside" "backup MX server".
So, based on all the good responses I have been getting, I may change my mind on "backup MX servers" that are "not under my control".



-----Original Message-----
From: alan [mailto:spfdiscuss@alandoherty.net]
Sent: Monday, February 15, 2010 10:57 AM
To: spf-help@v2.listbox.com
Subject: RE: [spf-help] trouble with spoofed email spf not working

At 14:43 15/02/2010 Monday, Vic wrote:

>> I am curious how you might
>> advise being able to create some redundancy for your mail server without
>> creating this problem.

simply ensure that your backup MX's enforce identical policy for incoming mail as your primaries
{backup MX's not under your direct administrative control should never be used}

ie ensure all use the same DNSBL's
ensure all reject {not bounce} mail to non-existent addresses
ensure all enforce the same SPF checks on inbound email
ensure all perform identical content based filtering {if any}

as for your original question {how to block inbound forgeries of your own domain, SPF isn't even needed for this
{SPF checking is for blocking inbound forgeries of SPF publishing domains, whether yours uses publishes SPF or not}
your MTA's should by policy be able to block all external senders claiming to be you regardless of SPF

{as your own users should only be sending outbound/internal via your submission server {could be the same machine/server but its on port 587 and authenticated not 25}}
so even internal > internal will never be arriving from 'outside'

as for the SPF record

v=spf1 ip4:67.221.119.199/32 a:month mx:salem.k12.va.us ~all

what Vic said

as according to headers
Received: from month.salem.k12.va.us (month.salem.k12.va.us [67.221.119.199]

so a:month is a syntax error and a:month.salem.k12.va.us == ip4:67.221.119.199/32 so unnecessary and as its in your own domain its unlikely to move without your knowledge

mx:salem.k12.va.us == a:mx1.mailhop.org. a:month.salem.k12.va.us a:mx2.mailhop.org.

so could be better/faster written/read as

v=spf1 ip4:67.221.119.199/32 a:mx1.mailhop.org a:mx2.mailhop.org ~all

if and only if you send mail out to the Internet via these mailhop.org servers
{its unusual for backup MX's to be used for outbound mail in any way}

{i do wonder why inbound mail is told to use mailhop.org and only use your server if they are unavailable though??, your server is listed as 2nd preference of 3}





-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: trouble with spoofed email spf not working [ In reply to ]
On Mon, Feb 15, 2010 at 16:51, Russ Muncy <rmuncy@salem.k12.va.us> wrote:
> Great information here.
> In answer to Alan's question "{i do wonder why inbound mail is told to use mailhop.org and only use your server if they are unavailable though??, your server is listed as 2nd preference of 3}".
> This is the suggested configuration of <dyndns.org>. Since they are "supposed" to be providing some Spam and Virus filtering then forwarding on to my MX server.
>
> As Alan mentioned, my MTA does ignore the inbound forgeries when it is operating alone. I only have the problem when attempting to use an "outside" "backup MX server".
> So, based on all the good responses I have been getting, I may change my mind on "backup MX servers" that are "not under my control".

AFAIK DynDNS don't, yet, do any SPF filtering. I've found them to be
very open to discussion though and I suspect if enough people said
"I'd love to use your service, but you don't do SPF so I can't" it
might encourage them to check SPF records.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
RE: trouble with spoofed email spf not working [ In reply to ]
At 16:51 15/02/2010 Monday, Russ Muncy wrote:
>Great information here.
>In answer to Alan's question "{i do wonder why inbound mail is told to use mailhop.org and only use your server if they are unavailable though??, your server is listed as 2nd preference of 3}".
>This is the suggested configuration of <dyndns.org>. Since they are "supposed" to be providing some Spam and Virus filtering then forwarding on to my MX server.

If outpouring your spam/AV or other filtering then you should
A trust them entirely {or whats the point}
B do no filtering /checking on your "downstream" {as this creates backscatter and makes you the source of abuse}
C accept no connections on your downstream from the Internet only from your "upsteam-servers" {to ensure no one gets round filters}

but as i understand it dynadns service is not supposed to be much more more than a queueing service for people wanting to run mailservers on dynamic IP's {what the rest of us think is pretty universally a bad idea}

>As Alan mentioned, my MTA does ignore the inbound forgeries when it is operating alone. I only have the problem when attempting to use an "outside" "backup MX server".

do they not give you any control over filtering policy on mails to yourself?

also if {as appears to be the case} they do not provide outgoing mail service to you they need to be removed from your spf record

>So, based on all the good responses I have been getting, I may change my mind on "backup MX servers" that are "not under my control".

its what i would recommend {because i NEED* to have the control
{but as I also provide spam filtering services to others {who are happy to use our filter controls} i know the "having others as your public facing MX's and running your own receiving server/mailboxes privately" is a legitimate and common setup

they just have us enforce their SPF/DNSBL/etc policy long before any mail reaches their server {saving them all the load and hassle}


*need being an irrational urge for control



>-----Original Message-----
>From: alan [mailto:spfdiscuss@alandoherty.net]
>Sent: Monday, February 15, 2010 10:57 AM
>To: spf-help@v2.listbox.com
>Subject: RE: [spf-help] trouble with spoofed email spf not working
>
>At 14:43 15/02/2010 Monday, Vic wrote:
>
>>> I am curious how you might
>>> advise being able to create some redundancy for your mail server without
>>> creating this problem.
>
>simply ensure that your backup MX's enforce identical policy for incoming mail as your primaries
>{backup MX's not under your direct administrative control should never be used}
>
>ie ensure all use the same DNSBL's
>ensure all reject {not bounce} mail to non-existent addresses
>ensure all enforce the same SPF checks on inbound email
>ensure all perform identical content based filtering {if any}
>
>as for your original question {how to block inbound forgeries of your own domain, SPF isn't even needed for this
>{SPF checking is for blocking inbound forgeries of SPF publishing domains, whether yours uses publishes SPF or not}
>your MTA's should by policy be able to block all external senders claiming to be you regardless of SPF
>
>{as your own users should only be sending outbound/internal via your submission server {could be the same machine/server but its on port 587 and authenticated not 25}}
>so even internal > internal will never be arriving from 'outside'
>
>as for the SPF record
>
>v=spf1 ip4:67.221.119.199/32 a:month mx:salem.k12.va.us ~all
>
>what Vic said
>
>as according to headers
>Received: from month.salem.k12.va.us (month.salem.k12.va.us [67.221.119.199]
>
>so a:month is a syntax error and a:month.salem.k12.va.us == ip4:67.221.119.199/32 so unnecessary and as its in your own domain its unlikely to move without your knowledge
>
>mx:salem.k12.va.us == a:mx1.mailhop.org. a:month.salem.k12.va.us a:mx2.mailhop.org.
>
>so could be better/faster written/read as
>
>v=spf1 ip4:67.221.119.199/32 a:mx1.mailhop.org a:mx2.mailhop.org ~all
>
>if and only if you send mail out to the Internet via these mailhop.org servers
>{its unusual for backup MX's to be used for outbound mail in any way}
>
>{i do wonder why inbound mail is told to use mailhop.org and only use your server if they are unavailable though??, your server is listed as 2nd preference of 3}
>
>
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com