Very good post - am thinking along the same lines myself.
Will keep an eye on this thread.
First let's start with why I (and many others) just set their servers to REJECT all the mail it can't deliver instead of BOUNCE. If they did REJECT then the spammers would just be stopped instead of delivering the mail to your server which then in turn BOUNCES it to whoever the poor sod is that's spoofed in the FROM address.
Additionally, if the spoofed FROM address is completely bogus then a bunch of undeliverable bounces can completely choke an outbound mail queue for days.
BOUNCE is just bad...
Anyway, SPF and DKIM are full of holes and aren't implemented on enough sites to make much of a difference.
The easiest way to stop spam is with the spam challenge systems that require the senders to be whitelisted and allow them to authorize themselves by proving they're humans.
Unverified email simply gets discarded after a few days of no human claiming it.
Then you can firewall SMTP from Asia, Romania and Russia and it gets pretty quiet.
Spam challenge - my filters see the automated challenges as spam!
I would dump those filters.
SPF records are relatively easy to setup and it can't hurt to have one. DomainKeys are a bit more complicated and it will depend on your server/host/ISP whether they can be setup.
|Did adding one or both of these help at all reduce the amount of spoofing happening? |
I have SPF records for most of my domains that send e-mail. It only helps if the receiving server looks up my SPF record and uses it in some way. I haven't seen dramatic results though.
If you want to see a big difference turn off wildcard e-mail aliases and follow incrediBILL's advice about bounces. That will cut out most of it.
|I have SPF records for most of my domains that send e-mail. It only helps if the receiving server looks up my SPF record and uses it in some way. I haven't seen dramatic results though. |
Bingo. It helps your mail get SENT, doesn't do much for stopping incoming spam.
All a spammer has to do is get a bunch of domains during the "tasting" period, set up SPF records, let the spam fly and it gets delivered as scheduled, then let the domains lapse without paying a penny.
All set up in favor of the spammer and a total waste of time IMO.
[edited by: incrediBILL at 10:22 am (utc) on April 25, 2008]
I too didn't have much luck with spf
I have now delved into the server settings and discovered I can input DNSBL or MAPs - (who knows if that's the right term but I've got one working ;) but only one) - any recommended ones, or iBill you mention to Firewall/SMTP some countries (I've also found out where to configure that now too) - are there any authentic sources of lists where some commonly recommended blocks for blacklisting appear? or give me a hint for the search terms
I don't mind a little maintenance, rather than paying for serious mail handling as if necessary the largest client I host for is going to move to managed mail - the other sites are non-profit and are going to have to make do for now.
btw thanks for the tip on "reject" makes sense when you say it hehe.. I have taken your advice :)
>>turn off wildcard e-mail aliases
bill do you mean not to have a catchall or...
|who knows if that's the right term |
RBL, black hole lists, "your favorite term here" ... one of the more popular is spamhaus.org. I use the sbl and xbl and that cuts out quite a bit of incoming trash.
Catchalls -> send them to /dev/null if you have one set up. Standards require "postmaster" and "abuse" for a mail server but most folks don't set them up anymore. If you do set them up make sure you set your spam filtering up on them and prepare to be inundated.
|Catchalls -> send them to /dev/null if you have one set up. |
Tried that first and the spammers just kept coming and were using some serious bandwidth dumping literally tons of junk as fast as they could go even though it was being delivered to nowhere it was impacting server performance for other visitors.
That's when I switched to REJECT and never looked back.
I know it's not how you're supposed to do it, but those rules were written before the internet got into the extremely abusive mess it is today.
|I know it's not how you're supposed to do it, but those rules were written before the internet got into the extremely abusive mess it is today. |
Exactly. Sounds like we are set up quite similar. I have been running my effort as ...
Incoming mail server:
- Reject mail sent to any nonexistent mailbox
- Set up a DNSBL such as Spamhaus [spamhaus.org] sbl and xbl lists
- Set up The Apache SpamAssassin Project [spamassassin.apache.org]
Outgoing mail server:
- Mail server host name same as mail server A name (see next)
- Mail server name set up with PTR for reverse DNS
- No relaying; authorization required for SMTP on every mailbox
- Strong passwords on all mail accounts
I have played around with SPF too and found it ineffective compared to the rest of the efforts listed here. I've never had issue with any of our accounts sending mail messages. Incoming is the fun stuff. You get to hear about that but never an issue with outgoing. Email spoofing is crazy right now. Training using Bayesian filtering is the last line of defense at the server right now. Email management and mail server management is the biggest pain. I can see why so many are outsourcing the service.
End users are becoming wiser when it comes to filtering at the client nowadays. We stop as much spam as we can at the server but a trickle still gets through.