homepage Welcome to WebmasterWorld Guest from 54.161.228.29
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
Questions on SPF and DKIM
(Sender Policy Framework) / (DomainKeys Identified Mail)
Ocean10000




msg:3634207
 2:58 pm on Apr 24, 2008 (gmt 0)

I am doing some research, due to being recently slammed with 1000+ bounce email message an hour, on two of my lease used accounts. These are high spam accounts, which are listed on public website to allow requests from potential clients to ask for more information from the company. But the bounce message is something new. And I am worried the company's emails are going to be blacklisted because of the content of these bounced emails. The company I am working for lives by email. And email getting blocked or rejected would not be something I want to explain to my boss if I can do something to prevent it as much as possible.

Has anyone here had any experience in implementing SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) in there DNS records? Did adding one or both of these help at all reduce the amount of spoofing happening? Are there any trade offs to using only one or both of these at once? Any thing else I am missing?

SPF (Sender Policy Framework)
[openspf.org...]

DKIM (DomainKeys Identified Mail)
[en.wikipedia.org...]

 

Dexie




msg:3634299
 4:41 pm on Apr 24, 2008 (gmt 0)

Very good post - am thinking along the same lines myself.

Will keep an eye on this thread.

Dexie.

incrediBILL




msg:3634694
 2:31 am on Apr 25, 2008 (gmt 0)

First let's start with why I (and many others) just set their servers to REJECT all the mail it can't deliver instead of BOUNCE. If they did REJECT then the spammers would just be stopped instead of delivering the mail to your server which then in turn BOUNCES it to whoever the poor sod is that's spoofed in the FROM address.

Additionally, if the spoofed FROM address is completely bogus then a bunch of undeliverable bounces can completely choke an outbound mail queue for days.

BOUNCE is just bad...

Anyway, SPF and DKIM are full of holes and aren't implemented on enough sites to make much of a difference.

The easiest way to stop spam is with the spam challenge systems that require the senders to be whitelisted and allow them to authorize themselves by proving they're humans.

Unverified email simply gets discarded after a few days of no human claiming it.

Then you can firewall SMTP from Asia, Romania and Russia and it gets pretty quiet.

piatkow




msg:3634830
 8:13 am on Apr 25, 2008 (gmt 0)

Spam challenge - my filters see the automated challenges as spam!

incrediBILL




msg:3634841
 8:34 am on Apr 25, 2008 (gmt 0)

I would dump those filters.

bill




msg:3634848
 9:07 am on Apr 25, 2008 (gmt 0)

SPF records are relatively easy to setup and it can't hurt to have one. DomainKeys are a bit more complicated and it will depend on your server/host/ISP whether they can be setup.

Did adding one or both of these help at all reduce the amount of spoofing happening?

I have SPF records for most of my domains that send e-mail. It only helps if the receiving server looks up my SPF record and uses it in some way. I haven't seen dramatic results though.

If you want to see a big difference turn off wildcard e-mail aliases and follow incrediBILL's advice about bounces. That will cut out most of it.

If you've got e-mail addresses out there in public without any sort of obfuscation (JavaScript, images, etc.) then you're just begging for spam. Perhaps you could consider online forms instead.

incrediBILL




msg:3634888
 10:21 am on Apr 25, 2008 (gmt 0)

I have SPF records for most of my domains that send e-mail. It only helps if the receiving server looks up my SPF record and uses it in some way. I haven't seen dramatic results though.

Bingo. It helps your mail get SENT, doesn't do much for stopping incoming spam.

All a spammer has to do is get a bunch of domains during the "tasting" period, set up SPF records, let the spam fly and it gets delivered as scheduled, then let the domains lapse without paying a penny.

All set up in favor of the spammer and a total waste of time IMO.

[edited by: incrediBILL at 10:22 am (utc) on April 25, 2008]

SuzyUK




msg:3635151
 4:24 pm on Apr 25, 2008 (gmt 0)

I too didn't have much luck with spf

I have now delved into the server settings and discovered I can input DNSBL or MAPs - (who knows if that's the right term but I've got one working ;) but only one) - any recommended ones, or iBill you mention to Firewall/SMTP some countries (I've also found out where to configure that now too) - are there any authentic sources of lists where some commonly recommended blocks for blacklisting appear? or give me a hint for the search terms

I don't mind a little maintenance, rather than paying for serious mail handling as if necessary the largest client I host for is going to move to managed mail - the other sites are non-profit and are going to have to make do for now.

btw thanks for the tip on "reject" makes sense when you say it hehe.. I have taken your advice :)

SuzyUK




msg:3635152
 4:25 pm on Apr 25, 2008 (gmt 0)

>>turn off wildcard e-mail aliases

bill do you mean not to have a catchall or...

coopster




msg:3635329
 7:22 pm on Apr 25, 2008 (gmt 0)

who knows if that's the right term

RBL, black hole lists, "your favorite term here" ... one of the more popular is spamhaus.org. I use the sbl and xbl and that cuts out quite a bit of incoming trash.

Catchalls -> send them to /dev/null if you have one set up. Standards require "postmaster" and "abuse" for a mail server but most folks don't set them up anymore. If you do set them up make sure you set your spam filtering up on them and prepare to be inundated.

incrediBILL




msg:3635334
 7:29 pm on Apr 25, 2008 (gmt 0)

Catchalls -> send them to /dev/null if you have one set up.

Tried that first and the spammers just kept coming and were using some serious bandwidth dumping literally tons of junk as fast as they could go even though it was being delivered to nowhere it was impacting server performance for other visitors.

That's when I switched to REJECT and never looked back.

I know it's not how you're supposed to do it, but those rules were written before the internet got into the extremely abusive mess it is today.

coopster




msg:3635384
 8:19 pm on Apr 25, 2008 (gmt 0)

I know it's not how you're supposed to do it, but those rules were written before the internet got into the extremely abusive mess it is today.

Exactly. Sounds like we are set up quite similar. I have been running my effort as ...

Incoming mail server: 
  1. Reject mail sent to any nonexistent mailbox
  2. Set up a DNSBL such as Spamhaus [spamhaus.org] sbl and xbl lists
  3. Set up The Apache SpamAssassin Project [spamassassin.apache.org]

Outgoing mail server: 
  1. Mail server host name same as mail server A name (see next)
  2. Mail server name set up with PTR for reverse DNS
  3. No relaying; authorization required for SMTP on every mailbox
  4. Strong passwords on all mail accounts

I have played around with SPF too and found it ineffective compared to the rest of the efforts listed here. I've never had issue with any of our accounts sending mail messages. Incoming is the fun stuff. You get to hear about that but never an issue with outgoing. Email spoofing is crazy right now. Training using Bayesian filtering is the last line of defense at the server right now. Email management and mail server management is the biggest pain. I can see why so many are outsourcing the service.

End users are becoming wiser when it comes to filtering at the client nowadays. We stop as much spam as we can at the server but a trickle still gets through.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved