[Dshield] Are you using spf records?

Stasiniewicz, Adam stasinia at msoe.edu
Thu Jan 5 19:57:54 GMT 2006


Do you even have the slightest idea of how SPF works?  Actually read
about it before saying something: http://www.openspf.org/howworks.html.
I am not going to defend the technology; I just want to make ensure that
people don't get the wrong idea for a couple of open ended, unsupported

1. SPF has nothing to do with reporting spam.  It does not send any
reports to anyone, nor does it rely on the need for an ISP to
"investigate" any claims.
2. A lot of spam uses forged headers, so unless you carefully check the
header, you can't be sure that it came from a real hotmail server.
3. SPF does one think, it stops email from originating from a source
other than that authentic outgoing email server for a domain.  It knows
which server are authentic outgoing email servers by using a DNS query
for the specific SPF record (encapsulated in a TXT record).

Now SPF is not without flaws.

1. If a domain does not publish SPF records, email from that domain can
be forged.
2. If a domain uses a different "all" operator other than "-all" many
filters will not do any filtering on the email.
3. There is nothing stopping a spammer from sending email from say
"someone at abay.com" (note the first letter of domain).
4. Many organizations don't use SPF, so it will be ineffective for many
emails.  But it can always be used with great success internally.
5. If a malicious user can gain relay to a server which SPF thinks is
legit, then SPF won't help.
6. If a malicious user has his own domain, he can add SPF records for
his spamming server, or simply not use SPF at all.
7. SPF is not an end all solution for fighting spam, it is just another
method that can be used as part of an overall strategy in fighting spam.

Please actually research what you are talking about before saying

Adam Stasiniewicz 
Computer and Communication Services Department 
Milwaukee School of Engineering 
MSCE: Messaging & Security 2003 

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Abuse
Sent: Thursday, January 05, 2006 12:19 PM
To: General DShield Discussion List
Subject: Re: [Dshield] Are you using spf records?

** Reply to message from Martin Forest <martin at forest.gen.nz> on Thu, 05
2006 19:40:57 +1300

> I have done some minor research with SPF records. It is nice to see
> several of the big domains such as hotmail, msn, aol etc have started
> use SPF records.

A lot of good that will do.  I report spam to hotmail and almost all
say it did not originate with us.  Well it originated with one of their
and was sent through one of hotmail's servers.  With an attitude like
that we
will never get rid of spam.

> Especially as they are often used in forged emails. With  
> them posting spf, it is now possible to block the spam  bots that use

> their "from addresses".

Any program that uses the FROM address to filter spam (or anything for
matter) should be deleted from your system.  It does not work, it can
work, so why use it?
Learn about Intrusion Detection in Depth from the comfort of your own

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list