In <C195B116.153EF%hunter@userfriendly.net> Michael Weiner <hunter@userfriendly.net> writes:
> On 12/1/06 10:08 AM, "wayne" <wayne@schlitt.net> wrote:
>>
>> This is actually one place that SPF can help, even if you prefer other
>> systems. By putting a "tracking exists" in an SPF record and
>> monitoring your name server logs, you can often tell who is not
>> relaying email through your authorized MTAs. Just use something like:
>>
>> domain.tld TXT "v=spf1 exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d} ?all"
>
> I do not follow this 'tracking exists' record...could you explain in a
> little more detail please?!?
Hmmm... Details you say? OK. Julian gave a short reply, here is a
longer one.
When someone does an SPF check for domain.tld with the above SPF
record, the first thing it will do is do a DNSBL-type lookup on a
specially constructed name using the "exists:" mechanism. It will
then hit the ?all, which will return an SPF result of Neutral.
Ok, a closer look at the tracking exists:
exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d}
The %{d} is simply a shorter way of saying "domain.tld", it is the
domain having the SPF record that is being checked. So, we really
have a DNSBL-type lookup under the _spf.domain.tld name.
The %{h} is the HELO name used to send the email being checked
The %{l} is the local part of the 2821.MAILFROM
The %{o} is the domain part of the 2821.MAILFROM
The %{i} is the IP address of the machine used to send email.
I split the 2821.MAILFROM into two parts because the local part of an
email address may be fairly long and DNS can't deal with more than 63
characters between dots (e.g. in one label).
Ok, so in my bind log file, I get records like:
01-Dec-2006 04:50:25.641 89.250.128.2#49911: _h.backbone.schlitt.net._l.root._o.schlitt.net._i.67.52.51.34._spf.schlitt.net
This says that some using the 89.250.128.2 (ns.link-m.de) name server
did an SPF check from some machine claiming to be backbone.schlitt.net
(which is my mail host) coming from the IP address of 67.52.51.34
(which is my IP address) and using the 2821.MAILFROM of
root@schlitt.net.
Checking my mail logs, I see that at that time, my machine sent email
to Julian.
This is an example of everything checking out as being very legitimate.
A quick check, I also find a few things such as:
24-Nov-2006 14:16:40.677 83.149.236.136#40502: _h.schlitt.net._l.postmaster._o.schlitt.net._i.190.39.44.10._spf.schlitt.net
27-Nov-2006 18:45:50.889 161.58.49.116#1040: _h.cargobrokers.com._l.wayne._o.schlitt.net._i.190.39.44.10._spf.schlitt.net
This looks more interesting. The IP address 190.39.44.10
(190-39-44-10.dyn.dsl.cantv.net) is sending email claiming to be from
postmaster@schlitt.net and wayne@schlitt.net. Strangely, this same
host used two different HELO names (schlitt.net and cargobrokers.com).
This looks like some zombied computer sending spam with my name.
It appears that someone using the name server at 83.149.236.136
(ns.kstu.ru) and 161.58.49.116 (va1-fv00383.vwh.net) checked my SPF
record to see if I had authorized this. My SPF will cause a Fail
result for these cases.
Mind you, schlitt.net is must my personal domain and I'm the only user
on it, so my results aren't that interesting.
There are a few things to keep in mind: First, anyone can fake these
queries. You will need to do sanity checking on the results.
Secondly, I have a long nTTL so these lookups will be cached for a
long time. You probably won't get one lookup per email.
-wayne
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1129
> On 12/1/06 10:08 AM, "wayne" <wayne@schlitt.net> wrote:
>>
>> This is actually one place that SPF can help, even if you prefer other
>> systems. By putting a "tracking exists" in an SPF record and
>> monitoring your name server logs, you can often tell who is not
>> relaying email through your authorized MTAs. Just use something like:
>>
>> domain.tld TXT "v=spf1 exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d} ?all"
>
> I do not follow this 'tracking exists' record...could you explain in a
> little more detail please?!?
Hmmm... Details you say? OK. Julian gave a short reply, here is a
longer one.
When someone does an SPF check for domain.tld with the above SPF
record, the first thing it will do is do a DNSBL-type lookup on a
specially constructed name using the "exists:" mechanism. It will
then hit the ?all, which will return an SPF result of Neutral.
Ok, a closer look at the tracking exists:
exists:_h.%{h}._l.%{l}._o.%{o}._i.%{i}._spf.%{d}
The %{d} is simply a shorter way of saying "domain.tld", it is the
domain having the SPF record that is being checked. So, we really
have a DNSBL-type lookup under the _spf.domain.tld name.
The %{h} is the HELO name used to send the email being checked
The %{l} is the local part of the 2821.MAILFROM
The %{o} is the domain part of the 2821.MAILFROM
The %{i} is the IP address of the machine used to send email.
I split the 2821.MAILFROM into two parts because the local part of an
email address may be fairly long and DNS can't deal with more than 63
characters between dots (e.g. in one label).
Ok, so in my bind log file, I get records like:
01-Dec-2006 04:50:25.641 89.250.128.2#49911: _h.backbone.schlitt.net._l.root._o.schlitt.net._i.67.52.51.34._spf.schlitt.net
This says that some using the 89.250.128.2 (ns.link-m.de) name server
did an SPF check from some machine claiming to be backbone.schlitt.net
(which is my mail host) coming from the IP address of 67.52.51.34
(which is my IP address) and using the 2821.MAILFROM of
root@schlitt.net.
Checking my mail logs, I see that at that time, my machine sent email
to Julian.
This is an example of everything checking out as being very legitimate.
A quick check, I also find a few things such as:
24-Nov-2006 14:16:40.677 83.149.236.136#40502: _h.schlitt.net._l.postmaster._o.schlitt.net._i.190.39.44.10._spf.schlitt.net
27-Nov-2006 18:45:50.889 161.58.49.116#1040: _h.cargobrokers.com._l.wayne._o.schlitt.net._i.190.39.44.10._spf.schlitt.net
This looks more interesting. The IP address 190.39.44.10
(190-39-44-10.dyn.dsl.cantv.net) is sending email claiming to be from
postmaster@schlitt.net and wayne@schlitt.net. Strangely, this same
host used two different HELO names (schlitt.net and cargobrokers.com).
This looks like some zombied computer sending spam with my name.
It appears that someone using the name server at 83.149.236.136
(ns.kstu.ru) and 161.58.49.116 (va1-fv00383.vwh.net) checked my SPF
record to see if I had authorized this. My SPF will cause a Fail
result for these cases.
Mind you, schlitt.net is must my personal domain and I'm the only user
on it, so my results aren't that interesting.
There are a few things to keep in mind: First, anyone can fake these
queries. You will need to do sanity checking on the results.
Secondly, I have a long nTTL so these lookups will be cached for a
long time. You probably won't get one lookup per email.
-wayne
-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?list_id=1129