Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Help
new to spf, need assistance
chrism at digital-deviance
Apr 29, 2010, 1:54 PM
Post #1 of 5 (2801 views)
Permalink
I am very much a newbie when it comes to this, so please be patient.

I manage a site "ecomedica.ca" which for the most case is receiving
much less spam now than in the past, however, one account is
constantly bombarded with "bounce" emails that never came from him.
These are emails stating they could not be delivered and the reply
address is the person at ecomedical.ca. At source check shows they're
coming back from Russia, China, Turkey, Brazil, and the list goes on.

I investigated this site and placed a txt record as follows

v=spf1 mx ?all

I attempted to do it through cpanel, but was having difficulties until
I reached the support section who proceeded to advise that "they' put
in the mechanism I requested. I then wanted to ensure that my issue
would be resolved by doing this and their response was as follows;

"The SPF mechanism is a method of marking spam mail, not of preventing
joe jobs. If a spammer sends out mail with your return address, your
account will receive the bounce messages, and there really isn't much
you can do about it, except filter for bounce messages. The SPF record
will only mark mail from your domain and IP as a valid source. It can
deter "Joe Jobs" but only if the receiving server uses SPF records to
confirm the identity of the sender, and most don't."

I'm confused. I'm certain from what I've learned from this site is
that it in fact can be done, just as long as the right mechanism is
created.

So my question is, what would the correct mechanism be to stop these
emails, and in the same token, something I could include for the rest
of the sites I manage.

Thank you
Chris



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: new to spf, need assistance [ In reply to ]
spf1 at beer
Apr 29, 2010, 2:17 PM
Post #2 of 5 (2736 views)
Permalink
> their response was as follows;
>
> "The SPF mechanism is a method of marking spam mail

This is incorrect. They are telling you porkies.

SPF is about preventing *forgery*. That's all. There is a certain
correlation with spam, because bad guys do bad things, but that is purely
incidental.

> If a spammer sends out mail with your return address, your
> account will receive the bounce messages

This is basically wrong.

It presumes that there will *be* a bounce message. By implementing SPF
records, you will cut those down dramatically. I get handful a year - and
I complain about every one of them

> It can
> deter "Joe Jobs" but only if the receiving server uses SPF records to
> confirm the identity of the sender, and most don't."

That's probably wrong. Certainly, *enough* receiving MTAs use SPF to make
it worthwhile.

> I manage a site "ecomedica.ca" which for the most case is receiving
> much less spam now than in the past, however, one account is
> constantly bombarded with "bounce" emails that never came from him.
> These are emails stating they could not be delivered and the reply
> address is the person at ecomedical.ca. At source check shows they're
> coming back from Russia, China, Turkey, Brazil, and the list goes on.

This is standard spammer spoofing practice. Put up some SPF records, and
life will get much better.

> I investigated this site and placed a txt record as follows
>
> v=spf1 mx ?all

That's essentially non-functional; although it will mark as "permitted"
anything sent from your MX (which I hope is your sending MTA), absolutely
everything else is marked as neutral; that's just the same as if you had
no record at all.

You should change "?all" to "~all" in the short term, and then change that
to "-all" once you're happy with how it works.

> I attempted to do it through cpanel, but was having difficulties until
> I reached the support section who proceeded to advise that "they' put
> in the mechanism I requested.

Is there a typo in the domain you listed above? That one has no SPF records.

> So my question is, what would the correct mechanism be to stop these
> emails, and in the same token, something I could include for the rest
> of the sites I manage.

Step 1: Set up a public SPF record. If you have mis-typed your domain
above in the way I think you have, you might already have completed this.
Step 2: Set up a SPF filter on your MX. This will clean up your incoming
mail quite a bit. Be sure to set up filtering so that rejections occur
during the SMTP conversation - accepting then rejecting makes you part of
the backscatter attack vector.
Step 3: Consider getting a hosting provider that isn't a clueless twonk.

HTH

Vic.



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: new to spf, need assistance [ In reply to ]
gcerullo at pixelpointstudios
Apr 29, 2010, 2:29 PM
Post #3 of 5 (2744 views)
Permalink
On 29-Apr-10, at 4:54 PM, chrism@digital-deviance.com wrote:

> I am very much a newbie when it comes to this, so please be patient.
>
> I manage a site "ecomedica.ca" which for the most case is receiving
> much less spam now than in the past, however, one account is
> constantly bombarded with "bounce" emails that never came from him.
> These are emails stating they could not be delivered and the reply
> address is the person at ecomedical.ca. At source check shows
> they're coming back from Russia, China, Turkey, Brazil, and the list
> goes on.
>
> I investigated this site and placed a txt record as follows
>
> v=spf1 mx ?all

The SPF policy in place for the domain 'ecomedical.ca' is as follows,

v=spf1 a mx

That SPF policy is invalid since it does not include an 'all'
mechanism. In addition since both 'a' and 'mx' both point to the same
IP address '72.55.186.46', a better way of expressing that SPF policy
is by using the IP address as that saves a DNS lookup.

Provided that all mail for that domain originates from one IP address
the proper SPF policy would be.

v=spf1 ip4:72.55.186.46 ~all

Once you've finished testing and are satisfied that the SPF policy is
working correctly change the 'all' to a FAIL like this,

v=spf1 ip4:72.55.186.46 -all

Check the SPF site for more info about the 'all' mechanism.


> I attempted to do it through cpanel, but was having difficulties
> until I reached the support section who proceeded to advise that
> "they' put in the mechanism I requested. I then wanted to ensure
> that my issue would be resolved by doing this and their response was
> as follows;
>
> "The SPF mechanism is a method of marking spam mail, not of
> preventing joe jobs. If a spammer sends out mail with your return
> address, your account will receive the bounce messages, and there
> really isn't much you can do about it, except filter for bounce
> messages. The SPF record will only mark mail from your domain and IP
> as a valid source. It can deter "Joe Jobs" but only if the receiving
> server uses SPF records to confirm the identity of the sender, and
> most don't."
>
> I'm confused. I'm certain from what I've learned from this site is
> that it in fact can be done, just as long as the right mechanism is
> created.
>
> So my question is, what would the correct mechanism be to stop these
> emails, and in the same token, something I could include for the
> rest of the sites I manage.


The purpose of SPF is to prevent domain name forgery. The fact that
virtually all spam/junk mail is forged means that SPF is also an
effective way to cut down on junk mail.

The support guy you spoke to is correct in that unless the receiving
email server is checking SPF policies then the mail will continue to
bounce back. Rest assured though as more and more email servers
implement SPF checking, the problem gets better. Also, by publishing
an SPF policy, forgers are less likely to use your domains for forging
their junk mail.


--
Gino Cerullo

Pixel Point Studios
21 Chesham Drive
Toronto, ON M3M 1W6

416-247-7740



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: new to spf, need assistance [ In reply to ]
spfdiscuss at alandoherty
Apr 29, 2010, 3:02 PM
Post #4 of 5 (2741 views)
Permalink
At 21:54 29/04/2010 Thursday, chrism@digital-deviance.com wrote:
>I am very much a newbie when it comes to this, so please be patient.
<removed for berevity>


> v=spf1 mx ?all

This could be greatly improved opon
for instance ?all means {and from all other places don't reject} making the whole record moot
-all means reject from all others [hardfail]
~all means fail but try and spamfolder/quarentine etc. rather than reject [softfail]
?all means neutral ie deliver anyway just as if it had no spf, just award no points for "passing" [neutral]

>I then wanted to ensure that my issue
>would be resolved by doing this and their response was as follows;
>
>"The SPF mechanism is a method of marking spam mail, not of preventing
>joe jobs. If a spammer sends out mail with your return address, your
>account will receive the bounce messages, and there really isn't much
>you can do about it, except filter for bounce messages. The SPF record
>will only mark mail from your domain and IP as a valid source. It can
>deter "Joe Jobs" but only if the receiving server uses SPF records to
>confirm the identity of the sender, and most don't."

this is true, spf cant stop someone who doesn't check spf receiving forgeries
though studies show few domains with -all terminated spf records are forged in spam
{because spammers profits are directly linked to number of deliveies}

{blockng bounces does even more damage}
how you would do this is
A publish an SPF ending in -all {for at least this user, other users can have a more open policy}
B quarantine bounces for this user till issue subsides
C consider using BATV on your outgoing/incoming mailserver {requires more entertaining spf setup but is fun to do}
D block bounces from mailservers listed on http://www.backscatterer.org/?target=usage {ie use their RBL in SAFE-MODE}

any of these will mitigate the symptoms, but not stop the joe-jobs as this you cannot control as it happens on other peoples networks/servers


>I'm confused. I'm certain from what I've learned from this site is
>that it in fact can be done, just as long as the right mechanism is
>created.

nope

>So my question is, what would the correct mechanism be to stop these
>emails, and in the same token, something I could include for the rest
>of the sites I manage.

well we can help you write a better spf record first everything else i'd be happy to talk about off list


>Thank you
>Chris
>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
>Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
>
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com
Re: new to spf, need assistance [ In reply to ]
scott at kitterman
Apr 29, 2010, 7:59 PM
Post #5 of 5 (2733 views)
Permalink
"Gino Cerullo" <gcerullo@pixelpointstudios.com> wrote:
>The SPF policy in place for the domain 'ecomedical.ca' is as follows,
>
>v=spf1 a mx
>
>That SPF policy is invalid since it does not include an 'all'
>mechanism.

Your advice on what to do is on target, but on this point you are not correct. In the absence of an explicit all, there is an implicit ?all, so the record is a valid construct. Does it do what the OP wants is, of course, a different question.

Scott K

-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal