spf-discuss
[Top] [All Lists]

SPF in action

2004-01-14 03:03:27
Hi all,
I'm running a mail server for a couple of small domains. Last week I added SPF 
support to a W2K SMTP service sink I wrote some time ago. As expected, the 
number of returned SPF records is very low at this time so I queried a local 
DNS based whitelist containing SPF records for domains that contact us. Because 
of the limited amount of e-mail we get, I can manually check the logs and add 
"unknowns" to this local whitelist. However, the policy I use is slightly 
different from what's proposed using Mail::SPF::Query.

All checks are done at "RCPT TO:" so a per user policy can be enforced.

1) The helo/ehlo name is checked against a static list. Someone claiming to be 
"aol.com" or "compuserve.com" is rejected immediately.

2) An IP-address in helo/ehlo is only accpeted if it matches the remote 
IP-address.

3) Lookup the remote IP-address in various DNSBL.

4) Lookup the remote IP-address in a local DNSBL, the result of this is used:
   - to specifically blacklist/whitelist an IP-address
   - as a CNAME that helps domains with rDNS problems

5) Reverse lookup of remote IP-address if (4) didn't return a CNAME. If this 
fails and the helo/ehlo name looks like a FQDN then a forward lookup is done on 
that name. If this matches the remote IP, the helo/ehlo is used as the PTR 
domain and is optionally registered with a CNAME in the local DNSBL.

6) The SPF policy record for the sender domain is evaluated (NO best_guess).

7) If the result is "none" or "unknown", redirect query to 
%{s(_at_)}(_dot_)spf(_dot_)local(_dot_)
   - this local lookup returns "v=spf1 mx:%{o}/24 a:%{o}/24 
include:spf.trusted-forwarder.org ?all" by default.
   - big domains like yahoo, hotmail, compuserve,... have an entry in this zone 
like "v=spf1 ptr:something -all"
   - smaller domains have a more conservative entry, like "v=spf1 include ?all" 
or "+all"

8) If the SPF result still evaluates to "unknown", the connection fails with a 
"451 please try again later" error. This gives me some time to check the logs 
and enter the SPF record manually.

I'm using this scheme for almost a week now and the results are very promising. 
It only let a few spams slip thru (nailed by SpamAssassin though ;) because of 
the initial "ptr" mechanism in the default (best_guess) response.

The big problem I see is in those zillion very small domains that use a 
different provider for their incoming and outgoing mail. Most ISP's so far pass 
the default mx/24 a/24 test.

Is this an acceptable use of SPF or are there some major drawbacks in 
processing incoming e-mail this way?

Best regards,
Dirk

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ëù1Ií-»Fqx(_dot_)com


<Prev in Thread] Current Thread [Next in Thread>
  • SPF in action, Dirk Van Mieghem <=