SMTP+SPF anti spam dns entry

[Terje Petersen]

Hi,

I am wondering if anybody here has any experience in
adding a TXT entry into a microsoft DNS server in order to
provide the functionality of the proposed SPF email anti-
spam record.

http://spf.pobox.com/intro.html

I notice that AOL are now publishing SPF records and I
want to be able to publish them also using our Microsoft
DNS server.

Apparently they use the TXT type field within DNS which
should mean that pretty much any DNS server in existance
can support an SPF definition.

Regards,
Terje.

SPF implemented at AOL:-

http://zdnet.com.com/2100-1104_2-5145065.html

 

[William Stacey]

That seems interesting. Would require a lot more records on a dns server -
wow. Wonder how much if any this would increase traffic on the inet? If an
email server does the reverse check anyway, maybe instead of that it just
does the spf check. However, it would need to do this for each email
address, not just the domain, so I guess it could increase traffic a lot.
Small price to pay if this works to decrease spam however. Is there an rfc
yet on spfs? I like it and will try to learn more.

 

[William Stacey]

Thinking about this more. This would prevent people spoofing aol.com domain
(for example), but would not stop spammers. They could just send from
domains they setup spf records on - or am I missing something? This would
help narrow the field, but they reg new domains so fast, not sure how much
it will slow them down.

 

[Terje Petersen]

Hi,

See the URL for RFC draft and other details including a
responce to objections.

http://spf.pobox.com

In the mean time I have managed to answer the DNS question
myself.

You add an SPF record to WINDOWS 2000 DNS via the
following steps:-

1. Open DNS snap in.
2. Right Click Domain that you want to add SPF record for.
3. Choose Other New Records.
4. Choose a record type of TXT.
5. Enter the SPF record to specify valid mail senders.

So Windows 2000 DNS already supports the ability to add
SPF records. Now we just need to get Exchange to support
SPF checking as per the draft RFC. No problem I will use a
third party gateway in front of exchange.

Regards,
Terje.

 

[William Stacey]

So Windows 2000 DNS already supports the ability to add

SPF records. Now we just need to get Exchange to support

Not to cut hairs here, but it still a TXT record. No SPF record afaict. A
txt record being used for this spf function. Won't you be blocking mail
from most of the world until everyone uses spf?

--wjs

 

[Terje Petersen]

No you are not blocking the whole world. Read the RFC.

Its a little like blocking open relays. Initially such a
move would have blocked a lot of the world. But the majors
like AOL are already going towards SPF so it gets easier
over time.

If people have no SPF record then you have two options:-

1. Assume they are okay.

This may seem dumb but its the intial phase of the
solution. You give them a higher spam score for not having
an SPF record but you let it pass.

2. Assume that a particular SPF setting such as:-

+PTR +MX

Which means if the sending machine is in the MX list or
has a PTR record relating to the claimed from address then
they are okay.

You still get some false positives but that is a choice
some of us are willing to where. We can clear up these
exceptions with whitelists or tell people to change
behaviour and get an SPF record.

A lot of people are already bouncing email if the PTR
record does not match. SPF is a lot less brutal than such
methods.

Rather than debate the issue just read the draft RFC.
There is a link to the RFC from the web site I posted.

Regards,
Terje.

 

[Terje Petersen]

Here is the RFC.

Section 3 answers most of your questions.

http://spf.pobox.com/draft-mengwong-spf.02.9.4.txt

 

[Terje Petersen]

http://www.infinitepenguins.net/SPF/earlyadopters.php

SPF Early adopters
This page lists a few of the better-known domains that
currently
publish SPF records.

* altavista.com Web search engine
* aol.com Large international ISP
* bytemark.co.uk UK open-source-friendly hosting
providers
* declude.com Managed email service provider
* dyndns.org Dynamic DNS services
* frontiernet.net US ISP
* gnu.org Home of the Gnu Free Software movement
* ksan.de Kassel Media Research Centre
* listbox.com Email discussion list services
* livejournal.com Million-user online journal site
* motleyfool.com International financial news and advice
* oreilly.com Publishers of computer books
* oxford.ac.uk Top-flight UK university
* perl.org The popular open-source language
* philzimmermann.com Home of the creator of PGP
* pobox.com "Lifetime Email" fowarding service
* symantec.com Norton Anti-Virus and Symantec security
products
* thyrsus.com Home of open-source visionary Eric S.
Raymond
* ticketmaster.com Online ticket sales for major events
* w3.org The World Wide Web Consortium
* worldonline.de Large german ISP

 

[Jonathan de Boyne Pollard]

WS> Thinking about this more.

Would that everyone would think the scheme through before jumping on the
bandwagon.

WS> This would prevent people spoofing aol.com domain
WS> (for example), but would not stop spammers.

It would also prevent legitimate mail from roaming users and remove one of the
most popular features of electronic mail, forwarding. There are other, more
subtle, problems with the scheme, too.

<URL:news:4019B618.B9E64DEF%40Tesco.NET>

 

[Jonathan de Boyne Pollard]

TP> Here is the RFC.
TP> <URL:http://spf.pobox.com./draft-mengwong-spf.02.9.4.txt>

That's not an RFC. It's claiming to be a draft, but in fact there is no such
draft currently in the IETF's list (which is possibly because that document
has passed its own expiry date).

 

[Guest]

Fortunately, once the largest ISP's implement SPF records, it's up to the RECIPIENT to decide whether to drop emails purporting to be from an SPF sender's domain. that means the recipient decides whether to use the SPF records or not. I like the idea of just closing the SMTP connection as "failed" rather than bouncing yet another message back to sender -- the spammer gets a failed delivery notice without a bounceback. And SPF then negates spoofing, so spammers can be traced and held accountable under the new US law.

 

[Jonathan de Boyne Pollard]

MB> Fortunately, once the largest ISP's implement SPF records, it's
MB> up to the RECIPIENT to decide whether to drop emails purporting
MB> to be from an SPF sender's domain.

There's nothing fortunate about that.

MB> that means the recipient decides whether to use the SPF records
MB> or not.

Recipients who have thought the scheme through before jumping on
the bandwagon will decide not to. (Recipients who have thought the
scheme through, seen what harm it causes to SMTP-based Internet mail,
and who have decided that perhaps this harm is necessary in order to
deter people from coming up with yet more of these half-baked ideas,
might decide to, though.)

MB> I like the idea of just closing the SMTP connection as "failed" [...]

Then you don't understand the protocol.

MB> And SPF then negates spoofing, [...]

False.