[Dshield] Are you using spf records?
stasinia at msoe.edu
Thu Jan 5 15:45:41 GMT 2006
Yes, at MSOE we do publish SPF records and use a SPF filter on our email
gateway. Though there is working being done to use SPF to increase the
spam score on SpamAssassin, our primary filter system is any time a
message does not pass the SPF test and use the "-all" option, it is
bounced. On our DNS side, we use the "-all" option to ensure that
message we did not send via our servers are dropped.
This also helps internally. No longer are our users folded with spam
from "admin at msoe.edu", "support at msoe.edu" and other such emails. As it
was becoming a support headache for our helpdesk to deal with the 20
calls per day asking if we really wanted them to run the attached
I bet we are not alone in the following problem. Several "overly
helpful" sites like to send spoofed emails (e-greeting card sites and
professional societies come to mind). Though most of the greeting cards
sites now use a "real" source address and just append the "senders" name
onto the email, every month or so we run into a professional society
that has some custom webapp for whatever they run that feels the need to
spoof the source address. So we usually end up having to spend a few
days first figuring out how to contact there webmaster and then working
with them to correct the problem. Also we will sometimes get the
students who configure their outgoing server to their ISP server and
start getting bounce message, but our helpdesk is by now well
experienced to handle such cases and help the user reconfigure their
Past that we have not had any issues we could not resolve ourselves.
But I am curious if anyone else has ran into major issues in which they
couldn't use the "-all" option or had to discontinue SPF completely?
Computer and Communication Services Department
Milwaukee School of Engineering
MSCE: Messaging & Security 2003
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Martin Forest
Sent: Thursday, January 05, 2006 12:41 AM
To: DShield Discussion List
Subject: [Dshield] Are you using spf records?
Happy new year to all of you.
I have done some minor research with SPF records. It is nice to see that
several of the big domains such as hotmail, msn, aol etc have started to
use SPF records. Especially as they are often used in forged emails.
them posting spf, it is now possible to block the spam bots that use
their "from addresses".
How many of you have spf records on your domains?
Thouse of you that don't have it, are you planning on it?
How many of you are using spf as part of your spam filtering?
I've done dns sniffing and can see more and more lookups for txt/spf
records for the emails.
One interesting thing I've noticed is that several of the big banks in
APAC, that constantly experience phishing attacks, don't have SPF
Funny, with SPF records, any ISP/organization that look at spf records
would be able to reject the phishing attacks. Maybe it is "to hard work"
for them as they would only save several milion dollars per year...
Ps. If there is anyone on the list that don't know what spf is, have a
look at http://www.openspf.org
If you take copy protection too far, the only customers you will have
the ones that intend to sell illegal copies of your work. By: Martin
Warning: DRM/BMG protected CD's are likely to infect you with a Rootkit.
Learn about Intrusion Detection in Depth from the comfort of your own
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list