[afrinic-anti-spam-discuss] Deploying SPF

[Hari Kurup]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Graham,

What happens if you send me mail and on my mail server, I have filters
to forward all my mail to another server which does SPF checking. Since
the envelope sender did not change, the mail will be rejected at the 2nd
server.

- --
Hari

Graham Beneke wrote:
> There were requests at the antispam BoF that we share our experinces and
> best practices. Here are my comments on Sender Policy Framework.
> 
> In a nutshell - SPF is a system whereby a domain administrator is able
> to define a list of the servers designated to send mail for the domain.
> The reason that this is neccessary is that the original SMTP protocol
> has no way of verifying the MAIL-FROM header that is transmitted during
> the SMTP transaction.
> 
> There are two things that SPF is trying to mitigate:
> The forgery or spoofing of mail from trusted domain names like banks and
> government organisations.
> And preventing spammers from diguising their mail as originating from
> other domains.
> 
> The first issue is obviously very important in terms of phishing attacks
> and other kinds of fraud. And SPF has been successful in preventing some
> of the phishing scams that have occurred around the world.
> 
> In the second case - I am experiencing more and more spam runs where the
> spammers are targetting one domain name as the forged source of the mail
> and then sending out thousands of mail. Although this does not produce
> spam directly there are often thousands of messages that fail to deliver
> and all the "message delivery failure" messages then get sent to the
> forged domain. This can cause thousands of emails to arrive at a mail
> server in a matter of minutes. This is a concern for African operators
> due to the costs of bandwidth and it can force mail servers into DoS.
> 
> There are two aspects of SPF:
> The filtering of incoming mail. This requires patches or changes to the
> configuration on many MTA's. On my MTA's SPF filtering currently
> accounts for approximately 1% of the mail that is rejected by my server.
> 
> The SPF setup for the sending side of the process simply involves
> writting one extra record into the DNS zone of each domain. This is a
> relatively quick and simple process (taking less than an hour in
> general) and produces huge benefits for the amount of effort required.
> 
> There are a number of large operators that have implemented SPF
> (including gmail). Although there are also many servers that do not yet
> filter based on SPF records, it has now reached a critical mass whereby
> it is generally not viable for a spammer to spoof an SPF protected
> domain. If a domain is being the subject of a spoofing attack and an SPF
> record is implemented then the spoofing attacks very often subside in
> less than 3 weeks.
> 
> It is important however to note that SPF is not specifically a spam
> prevention technique. There are spammers who are now registering
> 'throw-away' domains that they publish SPF records for and then use
> these as the source address for their messages. SPF does however close a
> major loophole in the SMTP specification and prevents abuse of the mail
> system.
> 
> More details can be found on the SPF website http://www.openspf.org
> 
> I'd be happy to respond to questions or comments on the list.
> 
> regards
> Graham Beneke
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> anti-spam mailing list
> anti-spam at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/anti-spam

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHAq0JqKk6z8PUzckRAgM7AJ9zHFS7r8yhdFHB4maDZGrCpO11BACgn8VJ
XGiHdnaphMHN3qoW1CIRqGw=
=7Dtr
-----END PGP SIGNATURE-----