[afrinic-anti-spam-discuss] Deploying SPF

Sat Sep 29 11:06:42 SAST 2007

There were requests at the antispam BoF that we share our experinces and 
best practices. Here are my comments on Sender Policy Framework.

In a nutshell - SPF is a system whereby a domain administrator is able 
to define a list of the servers designated to send mail for the domain. 
The reason that this is neccessary is that the original SMTP protocol 
has no way of verifying the MAIL-FROM header that is transmitted during 
the SMTP transaction.

There are two things that SPF is trying to mitigate:
The forgery or spoofing of mail from trusted domain names like banks and 
government organisations.
And preventing spammers from diguising their mail as originating from 
other domains.

The first issue is obviously very important in terms of phishing attacks 
and other kinds of fraud. And SPF has been successful in preventing some 
of the phishing scams that have occurred around the world.

In the second case - I am experiencing more and more spam runs where the 
spammers are targetting one domain name as the forged source of the mail 
and then sending out thousands of mail. Although this does not produce 
spam directly there are often thousands of messages that fail to deliver 
and all the "message delivery failure" messages then get sent to the 
forged domain. This can cause thousands of emails to arrive at a mail 
server in a matter of minutes. This is a concern for African operators 
due to the costs of bandwidth and it can force mail servers into DoS.

There are two aspects of SPF:
The filtering of incoming mail. This requires patches or changes to the 
configuration on many MTA's. On my MTA's SPF filtering currently 
accounts for approximately 1% of the mail that is rejected by my server.

The SPF setup for the sending side of the process simply involves 
writting one extra record into the DNS zone of each domain. This is a 
relatively quick and simple process (taking less than an hour in 
general) and produces huge benefits for the amount of effort required.

There are a number of large operators that have implemented SPF 
(including gmail). Although there are also many servers that do not yet 
filter based on SPF records, it has now reached a critical mass whereby 
it is generally not viable for a spammer to spoof an SPF protected 
domain. If a domain is being the subject of a spoofing attack and an SPF 
record is implemented then the spoofing attacks very often subside in 
less than 3 weeks.

It is important however to note that SPF is not specifically a spam 
prevention technique. There are spammers who are now registering 
'throw-away' domains that they publish SPF records for and then use 
these as the source address for their messages. SPF does however close a 
major loophole in the SMTP specification and prevents abuse of the mail 
system.

More details can be found on the SPF website http://www.openspf.org

I'd be happy to respond to questions or comments on the list.

regards
Graham Beneke
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/anti-spam/attachments/20070929/2fcb4e8b/attachment-0001.htm