I wonder if AOL would be interested in tracking the failures via logging
incoming DNS requests. They could probably set up a DNS server or two with
logging turned on for this purpose.
Granted, most of these will be attempts to forge @aol.com in spam, but if
there are a large number from any given client they can use that info to
find something they may have missed.
In case this is helpful, I'm attaching a recipe showing how I did this at
my site...
example SPF record: (our assumes everything is forged)
altavista.com. IN TXT "v=spf1
+exists:CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com -all"
Possible use for aol
aol.com. IN TXT "v=spf1 ip4:152.163.225.0/24 (etc, etc)
ptr:mx.aol.com +exists:CL.%{i}.FR.%{s}.HE.%{h}.null.spf.aol.com ?all"
Incoming queries can be sent to a special server with logging on by giving
the subdomain its own NS records:
spf.aol.com. IN NS ns-logger.xy.aol.com.
I loaded mine with a small zone, since we just want to log the queries,
they will all return "unknown host name" (NXDOMAIN).
$ORIGIN spf.altavista.com.
$TTL 7200
@ IN SOA ns-admin.sv.av.com. postmaster.av.com. (
2003121500 ; serial
3600 ; refresh
900 ; retry
604800 ; expire
7200 ) ; minimum@ IN NS
ns-admin.sv.av.com.
@ IN TXT "v=spf1 -all"
@ IN TXT "No legit email comes from
spf.altavista.com."
I use the following with BIND at the top of named.conf to log queries:
logging {
category default { default_syslog; default_debug; };
category panic { default_syslog; default_stderr; };
category packet { default_debug; };
category eventlib { default_debug; };
channel query_channel {
file "/var/adm/named.queries" versions 3 size 500m;
print-time yes;
print-category yes;
};
category queries {
query_channel ;
};
};
Once this is done the queries look like this:
12-Jan-2004 16:34:31.668 queries: XX
/206.168.119.106/CL(_dot_)24(_dot_)162(_dot_)54(_dot_)27(_dot_)FR(_dot_)prknrzmmup_65952\(_at_)altavista(_dot_)com(_dot_)HE(_dot_)cs24
16254-27.houston.rr.com.null.spf.altavista.com/A/IN
The text of the query shows the following info:
/ip/ - server sending us the query (usually a DNS server near the mail
receiver)
CL.ip - Client IP address which presented the aol.com mail
FR.* - FROM address claimed in the mail envelope
HE.* - HELO address of the server - usually fake, sometimes missing
Hope this helps...
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡