You have reached the blog of Keith Elder. Thank you for visiting! Feel free to click the twitter icon to the right and follow me on twitter.

Is SPF the answer for Email Spoofing?

Posted by Keith Elder | Posted in Internet | Posted on 26-06-2006

For the past several months, maybe even longer, I’ve been the victim of various spam engines or viruses sending out massive quantities of email on behalf of me. If you’ve never had this happen it is a serious problem. Imagine how much email a spammer sends, then imagine ALL the bounced emails coming into your inbox. I thought I knew enough about procmail and mail filtering server side to be able to stop this from getting out of hand but my efforts have failed. Last week I was out of the office at Tech Ed and each time I checked my email via my phone, I would get 500 new emails. Have you ever tried deleting 500 emails from a phone? Or even from SquirrelMail? It is extremely painful. What is email spoofing? Email spoofing is something that can be fun if you want to send emails internally at the office, but when a spammer sends an email on your behalf and then sends millions, not so fun. In order to spoof the email the spammer picks an email address say… “spammerssuckdonkeyeggs@spammers.suck.com“. He sets this email as the “Return-Path:” header in the email. The return path header as outlined in RFC 2821 is a special type of header that defines where bounced emails go if they can’t be delivered. That’s right, anyone can put anything in the return-path header they want. What is SPF? SPF stands for “Sender Policy Framework”. SPF allows system administrator’s to modify their DNS zone records and add a special rule which outlines where email should originate from. Think of it like a reverse lookup for emails. When mail servers receive an email from someone they see that the email is coming from somedomain.com. The receiving mail server then queries back to somedomain.com’s DNS server to make sure the mail server sending the email to the receiving mail server is authorized to do so and that things match up. If not, the email get’s rejected. Note: If there is no SPF record in the DNS, the mail goes through. For more information on how SPF works, visit http://new.openspf.org/Introduction So far, so good After adding the following rule to my DNS zone things stopped coming in. It has only been a few hours since I added this to the zone file, but I would have received at least 30-50 bounced emails within that time frame normally. zorka.com. IN TXT “v=spf1 a mx mx:mail.zorka.com ~all” So far so good it seems. Either the spammers are taking a break or SPF is working. Has anyone else has tried this? How have your results been?

Write a comment