Recherche dans le site/ Search this Blog:

Login



SPF Howto: Keep your domain names clean with SPF (Sender Policy Framework), it helps to stop spammers from using your domain names to send spam. Imprimer

You can use DNS SPF (Sender Policy Framework) to reduce the amount of spam you are getting but this article is not about this approach. We do not use SPF to filter our incoming mail for spam, we use other techniques and we do not feel the need to use SPF for now. We will write about it if we decide to use SPF to filter our incoming mail in the future.

Nevertheless, we noticed that some spammers used addresses from the domains we manage in the FROM field of the spam. This could be an attempt to get back at us since we systematically report all spam that we get.

Note: Systematically reporting all spam greatly reduce the amount of spam that you are getting. It can take up to 2 months before you start to see the drop in received spam, but spammers DO take your addresses off their list when you report. For them, your addresses behave just like spam traps and spammers DO take spam traps off their list.

So basically, we have added SPF DNS records to the domains that we manage. By doing so, we are letting others know from which machines (IP addresses) mail from our domains comes from. By using "-all" we tell systems using SPF to filter mail to generate an error and to notify the sender. See notes on Wikipedia about using (~all) , (tilde instead of a dash in front of "all") being more problematic.

I noticed that most big providers uses "~all" which generates a soft fail for systems using SPF to filter their mail, meaning no error is generated and that the sender isn't notified on the spot. Worse, the message is accepted hence bandwidth is wasted by allowing the body of the message to be transferred.

The fact that most big providers uses soft fail "~all" in their SPF records might be a sign that SPF doesn't work that well for big providers which have customers that might send email from various network locations. They use soft fail because it is impossible for them to keep track of all possible IP that might send email for the domains they host.

For smaller organization, SPF seems to suit just fine although !!! It is easy to keep track of the machines allowed to send mail for the domains we manage. We ourselves send only mail from our mail exchangers (MX) and we have customers that send email from their ISP which is either videotron.ca, bell.ca or sympatico.ca.

SPF records for the domain we manage :

IN TXT "v=spf1 a mx a:relais.videotron.ca a:mx.videotron.ca a:cluster3.eu.messagelabs.com include:spf1.oc9.com include:spf2.oc9.com -all"

spf1 IN TXT "v=spf1 ip4:142.182.48.192/27 ip4:206.47.74.69 ip4:206.172.20.49 ip4:206.47.72.0/24 ip4:206.47.60.0/24 ip4:206.47.199.0/24 ip4:209.226.175.0/24 -all"

spf2 IN TXT "v=spf1 ip4:67.69.240.0/24 ip4:198.235.69.0/26 ip4:64.26.142.75 ip4:64.26.142.77 ip4:67.69.240.0/24 ip4:204.101.196.0/24 ip4:206.47.0.160/27 ip4:207.236.237.0/25 ip4:67.70.214.43 ip4:216.18.99.22 ip4:69.156.197.234 ip4:66.241.131.163 -all"

We found bell.ca, sympatico.ca and videotron.ca IPs by isuing the following commands:

$ nslookup

> set type=TXT

> videotron.ca
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
videotron.ca text = "v=spf1 mx a:relais.videotron.ca ~all"

Authoritative answers can be found from:
videotron.ca nameserver = vl-mo-dn009-fae1.mo.videotron.ca.
videotron.ca nameserver = vl-mo-dn010-fae1.mo.videotron.ca.
videotron.ca nameserver = vl-mo-dn011-fae1.mo.videotron.ca.
vl-mo-dn009-fae1.mo.videotron.ca internet address = 24.200.241.2
vl-mo-dn010-fae1.mo.videotron.ca internet address = 24.200.241.6
vl-mo-dn011-fae1.mo.videotron.ca internet address = 24.200.241.10
> bell.ca
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
bell.ca text = "v=spf1 mx ip4:198.235.69.0/26 ip4:64.26.142.75 ip4:64.26.142.77 ip4:67.69.240.0/24

ip4:204.101.196.0/24 ip4:206.47.0.160/27 ip4:207.236.237.0/25 ip4:67.70.214.43

ip4:216.18.99.22 ip4:69.156.197.234 ip4:66.241.131.163 include:spf.messagelabs.com +all"

Authoritative answers can be found from:
bell.ca nameserver = dcoczd.bell.ca.
bell.ca nameserver = dmog1a.bell.ca.
bell.ca nameserver = dmog2a.bell.ca.
bell.ca nameserver = toroondcnszs01.srvr.bell.ca.
> sympatico.ca
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
sympatico.ca text = "v=spf1 ip4:142.182.48.192/27 ip4:206.47.74.69 ip4:206.172.20.49

ip4:206.47.72.0/24 ip4:206.47.60.0/24 ip4:206.47.199.0/24 ip4:209.226.175.0/24

ip4:67.69.240.0/24 include:hotmail.com ?all"

Authoritative answers can be found from:
sympatico.ca nameserver = toroondcnszs01.srvr.bell.ca.
sympatico.ca nameserver = toroon63nszp01.srvr.bell.ca.
toroon63nszp01.srvr.bell.ca internet address = 207.164.234.42

> set type=MX

> videotron.ca

Server: 127.0.0.1

Address: 127.0.0.1#53


Non-authoritative answer:

videotron.ca mail exchanger = 10 mx.videotron.ca.


Authoritative answers can be found from:

videotron.ca nameserver = vl-mo-dn010-fae1.mo.videotron.ca.

videotron.ca nameserver = vl-mo-dn011-fae1.mo.videotron.ca.

videotron.ca nameserver = vl-mo-dn009-fae1.mo.videotron.ca.

mx.videotron.ca internet address = 24.201.245.37

vl-mo-dn009-fae1.mo.videotron.ca internet address = 24.200.241.2

vl-mo-dn010-fae1.mo.videotron.ca internet address = 24.200.241.6

vl-mo-dn011-fae1.mo.videotron.ca internet address = 24.200.241.10

> bell.ca

Server: 127.0.0.1

Address: 127.0.0.1#53


Non-authoritative answer:

bell.ca mail exchanger = 10 cluster3.eu.messagelabs.com.


Authoritative answers can be found from:

bell.ca nameserver = dcoczd.bell.ca.

bell.ca nameserver = dmog1a.bell.ca.

bell.ca nameserver = dmog2a.bell.ca.

bell.ca nameserver = toroondcnszs01.srvr.bell.ca.

 

Since we also send HELO commands with the following hosts when our MX send mail, we also added the following to our DNS (bind,named) zone file, our MX that send mail are master.oc9.com and slave2.oc9.com:

master IN TXT "v=spf1 a -all"

slave2 IN TXT "v=spf1 a -all"

Scenario:

1) Spammer from IP 207.92.89.76 tries to send spam to 9.8.7.121 with Cette adresse email est protégée contre les robots des spammeurs, vous devez activer Javascript pour la voir. in the FROM field.

2) 9.8.7.121 mail server is using SPF to filter mail so it calls our DNS server and gets the list of IPs authorized to send mail for OC9.COM, e.g. our SPF record.

3) 207.92.89.76 is not on the SPF list so 9.8.7.121 should reject the mail, not allowing the spammer to upload it because we use the "-all" directive.

Testing:

$ nslookup
> set type=TXT
> oc9.com
Server: 127.0.0.1
Address: 127.0.0.1#53

oc9.com text = "v=spf1 a mx a:relais.videotron.ca a:mx.videotron.ca a:cluster3.eu.messagelabs.com include:spf1.oc9.com include:spf2.oc9.com -all"
> croisade.com
Server: 127.0.0.1
Address: 127.0.0.1#53

croisade.com text = "v=spf1 a mx a:relais.videotron.ca a:mx.videotron.ca a:cluster3.eu.messagelabs.com include:spf1.oc9.com include:spf2.oc9.com -all"
> mistralaero.com
Server: 127.0.0.1
Address: 127.0.0.1#53

mistralaero.com text = "v=spf1 a mx a:relais.videotron.ca a:mx.videotron.ca a:cluster3.eu.messagelabs.com include:spf1.oc9.com include:spf2.oc9.com -all"
> spf1.oc9.com
Server: 127.0.0.1
Address: 127.0.0.1#53

spf1.oc9.com text = "v=spf1 ip4:142.182.48.192/27 ip4:206.47.74.69 ip4:206.172.20.49 ip4:206.47.72.0/24 ip4:206.47.60.0/24 ip4:206.47.199.0/24 ip4:209.226.175.0/24 -all"
> spf2.oc9.com
Server: 127.0.0.1
Address: 127.0.0.1#53

spf2.oc9.com text = "v=spf1 ip4:67.69.240.0/24 ip4:198.235.69.0/26 ip4:64.26.142.75 ip4:64.26.142.77 ip4:67.69.240.0/24 ip4:204.101.196.0/24 ip4:206.47.0.160/27 ip4:207.236.237.0/25 ip4:67.70.214.43 ip4:216.18.99.22 ip4:69.156.197.234 ip4:66.241.131.163 -all"

> master.oc9.com

Server: 127.0.0.1
Address: 127.0.0.1#53

master.oc9.com text = "v=spf1 a -all"
> slave2.oc9.com
Server: 127.0.0.1
Address: 127.0.0.1#53

slave2.oc9.com text = "v=spf1 a -all"

Further scenario testing can be done here . A web based tool allows you to simulate a spammer sending email and it tells you what an SPF filtering enabled system would have done with the email. We have tried with a few valid and invalid IPs and results were as expected. All mail coming from unknown IPs would have returned the FAIL result code according to this test tool. You may also use this other tool.

References:

Nice web based wizard, scans your current configuration and explains it to you and you can also generate the your SPF entry from the wizard. Click Here.

The SPF RFC RFC-4408

 

 

 

Ajouter votre commentaire / Add your comment

Votre nom / Your name:
Sujet / Subject:
Comment:
  Lettres de vérification; lettres minuscules seulement, pas d
Retaper les lettres affichées / Word verification:
Mis à jour / Last updated ( mercredi, 26 mars 2008 23:44 )
 



Consultez TOUS nos fils d'actualité ici. / View ALL our newsfeed here.