Spam and SPF records

rachelo · 2006-09-29, 11:06 AM

It looks like someone is sending spam e-mail that looks like is coming from my domain. I was told to set up SPF records but I don't know anything about them. HELP! Any info would be greatly appreciated.

Simon · 2006-09-29, 11:51 AM

We were told that too and decided not to use SPF after some research. Make your own decision of course but here are a couple of pages with info on why it's not such a good idea...

http://homepages.tesco.net/J.deBoyne...s-harmful.html

http://david.woodhou.se/why-not-spf.html

cd34 · 2006-09-29, 12:04 PM

In the control panel, on the left hand side is a menu option titled:

Sender Policy Framework

If you never send outgoing mail from that domain, you can put a checkmark next to the domain, and make sure the pulldown box says:

Checked domains *NEVER* send e-mail.

Click Apply Status, and at the top of the hour, your DNS will be updated.

If you do send email from that domain, but use our SMTP server:

Checkmark the domain, pull down the select box and select the option that says:

Domain sends email *ONLY* from the IP assigned to it

Click Apply Status, and at the top of the hour, your DNS will be updated.

If however, you send email from your ISP, i.e. comcast.net, etc.

Click, Set up a new Rule Profile

The first option determines what to do if someone else is using SPF, typically you'll want to choose the last option of:

(-) hard fail: Email not sent from the IP in the ruleset is forged.

If you send email through your ISP (i.e. qwest.net or rr.com), then the next field needs to contain that domain.

In the next field there should be a link below the field with the machine name (or names) that you are on. Click each one that can send mail out from that domain.

Click Submit NEW PROFILE RULE

You'll be returned to the previous screen, but, your new rule will show up in the select box. Checkmark the domain, pull down the select box and select the option that says:

v=spf1 DOMAIN_IP_ADDRESS etc etc

Click Apply Status, and at the top of the hour, your DNS will be updated.

Or, you can hit us on ICQ, Live Support, email, trouble ticket. I only posted because I vaguely recall seeing a trouble ticket go through regarding spam and I think you might have submitted the ticket?

For those of you wondering what is going on:

Spammers send emails out using email addresses that have been seen in mailboxes of trojaned/hijacked computers. Often times, if you have sent email to someone, and they are infected, your email address will get used as an outgoing address under the presumption that someone might vaguely recognize the address and give the spammer a little glimmer of hope that his email will be read. Unfortunately, the mail never comes from you, often times you don't even know it has been sent until you start seeing the bounces. Those bounces are typically called backscatter.

The theory is, if they use a random domain name or a domain name that has sent to some of their recipients, it will bypass the spam filters. Often, but not always, spammers do check to see if there are restrictive SPF records on the domain to give the maximum chance that their email will go through.

For those more curious about the details of how SPF is supposed to work:
http://www.openspf.org/

Emerald · 2006-09-29, 12:09 PM

As usual, cd34 & Simon have good info ... I get tons of spam with my own domain names in them.. I asked my Host how to stop it and he said there is no way lol ... guess I can!

cd34 · 2006-09-29, 12:27 PM

Well, having read those two pages, there are so many incorrect assumptions that are made.

They claim it breaks fallback MX servers. SPF doesn't look at the path that email took, merely that the email's envelope came from an IP that the published record says is valid. I know of no ISPs that use someone else's SMTP servers as a relay for their outbound mail. When you connect with DSL, I seriously doubt comcast.net is sending out a mailserver in the dhcp setup that specifies another ISPs SMTP server.

But, in my opinion, I do not agree with either of those author's assumptions. If you set an SPF record that says bellsouth.net is allowed to deliver mail that you originate from domain.com, and someone submits a spam report to bellsouth.net saying, this email came from you. A quick look at the headers would say, no, it didn't come from bellsouth. A secondary check of the SPF record would say, not only did it not come from bellsouth, but, the SPF record says if it didn't come from bellsouth, its invalid.

There are ISPs in Europe that refuse to take email unless the domain is properly tagged with SPF. Yahoo, while they have their domainkeys method, do set an SPF-Fail flag in their spam checking that tilts their spam meter in the other direction. However, with a valid SPF record, their filters are a little looser. Hotmail also uses SPF forgeries as a scoring point. We look at SPF only as a check, but don't make any determinations. An SPF fail doesn't prevent email from being delivered, but, I can tell you that of the mail I have received with the SPF flag having failed, 100% of it was spam. That isn't to say that I didn't get spam with a valid SPF record.

There are conditions where SPF will not work well, and remailing/mailing lists is one of them.

There are very few real ways to stop spam and while this isn't the best method, I have found that the incidence of domains getting hit with the backscatter for spam has dropped dramatically once SPF records were implemented.

rachelo · 2006-09-29, 01:56 PM

WOW, that is a lot to digest. Thanks for all the info and for the instructions, I am going to set it up now, so if I have any problems I will post here.

2006-09-29, 11:06 AM	#1
rachelo Ahhh ... sweet pity. Where would my love life be without it? Join Date: Aug 2006 Location: Phoenix Posts: 205	Spam and SPF records It looks like someone is sending spam e-mail that looks like is coming from my domain. I was told to set up SPF records but I don't know anything about them. HELP! Any info would be greatly appreciated.

2006-09-29, 11:51 AM	#2
Simon That which does not kill us, will try, try again. Join Date: Aug 2003 Location: Conch Republic Posts: 5,150	We were told that too and decided not to use SPF after some research. Make your own decision of course but here are a couple of pages with info on why it's not such a good idea... http://homepages.tesco.net/J.deBoyne...s-harmful.html http://david.woodhou.se/why-not-spf.html __________________ "If you're happy and you know it, think again." -- Guru Pitka

2006-09-29, 12:04 PM	#3
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	In the control panel, on the left hand side is a menu option titled: Sender Policy Framework If you never send outgoing mail from that domain, you can put a checkmark next to the domain, and make sure the pulldown box says: Checked domains NEVER send e-mail. Click Apply Status, and at the top of the hour, your DNS will be updated. If you do send email from that domain, but use our SMTP server: Checkmark the domain, pull down the select box and select the option that says: Domain sends email ONLY from the IP assigned to it Click Apply Status, and at the top of the hour, your DNS will be updated. If however, you send email from your ISP, i.e. comcast.net, etc. Click, Set up a new Rule Profile The first option determines what to do if someone else is using SPF, typically you'll want to choose the last option of: (-) hard fail: Email not sent from the IP in the ruleset is forged. If you send email through your ISP (i.e. qwest.net or rr.com), then the next field needs to contain that domain. In the next field there should be a link below the field with the machine name (or names) that you are on. Click each one that can send mail out from that domain. Click Submit NEW PROFILE RULE You'll be returned to the previous screen, but, your new rule will show up in the select box. Checkmark the domain, pull down the select box and select the option that says: v=spf1 DOMAIN_IP_ADDRESS etc etc Click Apply Status, and at the top of the hour, your DNS will be updated. Or, you can hit us on ICQ, Live Support, email, trouble ticket. I only posted because I vaguely recall seeing a trouble ticket go through regarding spam and I think you might have submitted the ticket? For those of you wondering what is going on: Spammers send emails out using email addresses that have been seen in mailboxes of trojaned/hijacked computers. Often times, if you have sent email to someone, and they are infected, your email address will get used as an outgoing address under the presumption that someone might vaguely recognize the address and give the spammer a little glimmer of hope that his email will be read. Unfortunately, the mail never comes from you, often times you don't even know it has been sent until you start seeing the bounces. Those bounces are typically called backscatter. The theory is, if they use a random domain name or a domain name that has sent to some of their recipients, it will bypass the spam filters. Often, but not always, spammers do check to see if there are restrictive SPF records on the domain to give the maximum chance that their email will go through. For those more curious about the details of how SPF is supposed to work: http://www.openspf.org/ __________________ SnapReplay.com a different way to share photos - iPhone & Android

2006-09-29, 12:09 PM	#4
Emerald If con is the opposite of pro, is Congress the opposite of progress? Join Date: Feb 2004 Location: Ontario, Canada eh! Posts: 915	As usual, cd34 & Simon have good info ... I get tons of spam with my own domain names in them.. I asked my Host how to stop it and he said there is no way lol ... guess I can! __________________ http://www.smutgremlins.com Submit your Free Sites to Smut Gremlins

2006-09-29, 12:27 PM	#5
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	Well, having read those two pages, there are so many incorrect assumptions that are made. They claim it breaks fallback MX servers. SPF doesn't look at the path that email took, merely that the email's envelope came from an IP that the published record says is valid. I know of no ISPs that use someone else's SMTP servers as a relay for their outbound mail. When you connect with DSL, I seriously doubt comcast.net is sending out a mailserver in the dhcp setup that specifies another ISPs SMTP server. But, in my opinion, I do not agree with either of those author's assumptions. If you set an SPF record that says bellsouth.net is allowed to deliver mail that you originate from domain.com, and someone submits a spam report to bellsouth.net saying, this email came from you. A quick look at the headers would say, no, it didn't come from bellsouth. A secondary check of the SPF record would say, not only did it not come from bellsouth, but, the SPF record says if it didn't come from bellsouth, its invalid. There are ISPs in Europe that refuse to take email unless the domain is properly tagged with SPF. Yahoo, while they have their domainkeys method, do set an SPF-Fail flag in their spam checking that tilts their spam meter in the other direction. However, with a valid SPF record, their filters are a little looser. Hotmail also uses SPF forgeries as a scoring point. We look at SPF only as a check, but don't make any determinations. An SPF fail doesn't prevent email from being delivered, but, I can tell you that of the mail I have received with the SPF flag having failed, 100% of it was spam. That isn't to say that I didn't get spam with a valid SPF record. There are conditions where SPF will not work well, and remailing/mailing lists is one of them. There are very few real ways to stop spam and while this isn't the best method, I have found that the incidence of domains getting hit with the backscatter for spam has dropped dramatically once SPF records were implemented. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2006-09-29, 01:56 PM	#6
rachelo Ahhh ... sweet pity. Where would my love life be without it? Join Date: Aug 2006 Location: Phoenix Posts: 205	WOW, that is a lot to digest. Thanks for all the info and for the instructions, I am going to set it up now, so if I have any problems I will post here.