[Dshield] Are you using spf records?

Stasiniewicz, Adam stasinia at msoe.edu
Thu Jan 5 15:45:41 GMT 2006


Yes, at MSOE we do publish SPF records and use a SPF filter on our email
gateway.  Though there is working being done to use SPF to increase the
spam score on SpamAssassin, our primary filter system is any time a
message does not pass the SPF test and use the "-all" option, it is
bounced.  On our DNS side, we use the "-all" option to ensure that
message we did not send via our servers are dropped.

This also helps internally.  No longer are our users folded with spam
from "admin at msoe.edu", "support at msoe.edu" and other such emails.  As it
was becoming a support headache for our helpdesk to deal with the 20
calls per day asking if we really wanted them to run the attached
program.

I bet we are not alone in the following problem.  Several "overly
helpful" sites like to send spoofed emails (e-greeting card sites and
professional societies come to mind).  Though most of the greeting cards
sites now use a "real" source address and just append the "senders" name
onto the email, every month or so we run into a professional society
that has some custom webapp for whatever they run that feels the need to
spoof the source address.  So we usually end up having to spend a few
days first figuring out how to contact there webmaster and then working
with them to correct the problem.  Also we will sometimes get the
students who configure their outgoing server to their ISP server and
start getting bounce message, but our helpdesk is by now well
experienced to handle such cases and help the user reconfigure their
client.

Past that we have not had any issues we could not resolve ourselves.
But I am curious if anyone else has ran into major issues in which they
couldn't use the "-all" option or had to discontinue SPF completely?

Regards,
Adam Stasiniewicz 
Computer and Communication Services Department 
Milwaukee School of Engineering 
MSCE: Messaging & Security 2003

 
-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Martin Forest
Sent: Thursday, January 05, 2006 12:41 AM
To: DShield Discussion List
Subject: [Dshield] Are you using spf records?

Happy new year to all of you.

I have done some minor research with SPF records. It is nice to see that

several of the big domains such as hotmail, msn, aol etc have started to

use SPF records. Especially as they are often used in forged emails.
With  
them posting spf, it is now possible to block the spam  bots that use  
their "from addresses".
How many of you have spf records on your domains?
Thouse of you that don't have it, are you planning on it?
How many of you are using spf as part of your spam filtering?

I've done dns sniffing and can see more and more lookups for txt/spf  
records for the emails.
One interesting thing I've noticed is that several of the big banks in  
APAC, that constantly experience phishing attacks, don't have SPF
records!  
Funny, with SPF records, any ISP/organization that look at spf records  
would be able to reject the phishing attacks. Maybe it is "to hard work"

for them as they would only save several milion dollars per year...

Best Regards
Martin Forest
Ps. If there is anyone on the list that don't know what spf is, have a  
look at http://www.openspf.org

-- 
If you take copy protection too far, the only customers you will have
are  
the ones that intend to sell illegal copies of your work. By: Martin
Forest
Warning: DRM/BMG protected CD's are likely to infect you with a Rootkit.

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own
couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list