Forum Moderators: phranque
Has anyone here had any experience in implementing SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail) in there DNS records? Did adding one or both of these help at all reduce the amount of spoofing happening? Are there any trade offs to using only one or both of these at once? Any thing else I am missing?
SPF (Sender Policy Framework)
[openspf.org...]
DKIM (DomainKeys Identified Mail)
[en.wikipedia.org...]
Will keep an eye on this thread.
Dexie.
Additionally, if the spoofed FROM address is completely bogus then a bunch of undeliverable bounces can completely choke an outbound mail queue for days.
BOUNCE is just bad...
Anyway, SPF and DKIM are full of holes and aren't implemented on enough sites to make much of a difference.
The easiest way to stop spam is with the spam challenge systems that require the senders to be whitelisted and allow them to authorize themselves by proving they're humans.
Unverified email simply gets discarded after a few days of no human claiming it.
Then you can firewall SMTP from Asia, Romania and Russia and it gets pretty quiet.
Did adding one or both of these help at all reduce the amount of spoofing happening?
If you want to see a big difference turn off wildcard e-mail aliases and follow incrediBILL's advice about bounces. That will cut out most of it.
If you've got e-mail addresses out there in public without any sort of obfuscation (JavaScript, images, etc.) then you're just begging for spam. Perhaps you could consider online forms instead.
I have SPF records for most of my domains that send e-mail. It only helps if the receiving server looks up my SPF record and uses it in some way. I haven't seen dramatic results though.
Bingo. It helps your mail get SENT, doesn't do much for stopping incoming spam.
All a spammer has to do is get a bunch of domains during the "tasting" period, set up SPF records, let the spam fly and it gets delivered as scheduled, then let the domains lapse without paying a penny.
All set up in favor of the spammer and a total waste of time IMO.
[edited by: incrediBILL at 10:22 am (utc) on April 25, 2008]
I have now delved into the server settings and discovered I can input DNSBL or MAPs - (who knows if that's the right term but I've got one working ;) but only one) - any recommended ones, or iBill you mention to Firewall/SMTP some countries (I've also found out where to configure that now too) - are there any authentic sources of lists where some commonly recommended blocks for blacklisting appear? or give me a hint for the search terms
I don't mind a little maintenance, rather than paying for serious mail handling as if necessary the largest client I host for is going to move to managed mail - the other sites are non-profit and are going to have to make do for now.
btw thanks for the tip on "reject" makes sense when you say it hehe.. I have taken your advice :)
bill do you mean not to have a catchall or...
who knows if that's the right term
RBL, black hole lists, "your favorite term here" ... one of the more popular is spamhaus.org. I use the sbl and xbl and that cuts out quite a bit of incoming trash.
Catchalls -> send them to /dev/null if you have one set up. Standards require "postmaster" and "abuse" for a mail server but most folks don't set them up anymore. If you do set them up make sure you set your spam filtering up on them and prepare to be inundated.
Catchalls -> send them to /dev/null if you have one set up.
Tried that first and the spammers just kept coming and were using some serious bandwidth dumping literally tons of junk as fast as they could go even though it was being delivered to nowhere it was impacting server performance for other visitors.
That's when I switched to REJECT and never looked back.
I know it's not how you're supposed to do it, but those rules were written before the internet got into the extremely abusive mess it is today.
I know it's not how you're supposed to do it, but those rules were written before the internet got into the extremely abusive mess it is today.
Exactly. Sounds like we are set up quite similar. I have been running my effort as ...
Incoming mail server:
- Reject mail sent to any nonexistent mailbox
- Set up a DNSBL such as Spamhaus [spamhaus.org] sbl and xbl lists
- Set up The Apache SpamAssassin Project [spamassassin.apache.org]
Outgoing mail server:
- Mail server host name same as mail server A name (see next)
- Mail server name set up with PTR for reverse DNS
- No relaying; authorization required for SMTP on every mailbox
- Strong passwords on all mail accounts
End users are becoming wiser when it comes to filtering at the client nowadays. We stop as much spam as we can at the server but a trickle still gets through.
