spf-discuss
[Top] [All Lists]

Re: Standard reply for bounced forgeries from clueless admins?

2004-06-10 11:39:04
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 10 June 2004 11:14 am, Stuart D. Gathman wrote:
Virii lie about who sent them.  It only annoys innocent bystanders to
send this kind of message.  At the very least, send such messages as MAIL
FROM: <> or MAIL FROM: <postmaster(_at_)tfeurope(_dot_)com>.  That way, I can
automatically discard them when they reference messages our mail servers
did not send.

Also, do yourself a favor and look at SPF:

http://spf.pobox.com

You can help prevent the same thing happening to you by publishing SPF
records. And you can avoid annoying as many innocent bystanders by
checking SPF records for mail that you receive.

How about this:

Your email server sent a bounce message to my server. Since I did not send a 
message to your server, this is considered unsolicited mail or spam. 
Attached is the message I received. 

I would normally discard such bounce messages as I receive about X a day. I 
want to introduce to you SPF and how it can solve this particular problem, 
however. 

I have described what servers are allowed to send email for my domain via my 
SPF records published via DNS. (Try querying DNS for TXT records for the 
domain X.com) The server that sent you this email was not one of them.

I would encourage you to configure your mail servers to check SPF records. 
Configuring your servers is easy. Software for all major email servers is 
readily available, including sendmail, postfix, Exim, and Microsoft 
Exchange Server.

Publishing SPF records is also quite easy. There is a tool at 
http://spf.pobox.com/wizard.html that will help you determine what record 
to publish.

Over 19,000 domains have published SPF records. Some notables include:
        - Amazon.com
        - AOL.com
        - blah blah blah

You may find it important to note that AOL will only whitelist domains that 
publish SPF records. If you do not publish SPF records by the end of the 
summer of 2004, then your email may not be received by AOL. AOL has X 
million subscribers which represent about Y% of the total number of 
internet users. Many other domains are going to enact a similar policy.

More information on SPF can be found at http://spf.pobox.com/. If you have 
any questions you can email me or the SPF help list at 
subscribe-spf-help(_at_)v2(_dot_)listbox(_dot_)com(_dot_)

- -- 
Jonathan M. Gardner
Mass Mail Systems Developer, Amazon.com
jonagard(_at_)amazon(_dot_)com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAyKrIBFeYcclU5Q0RAhGAAKDVYnbFfnEe22I3NFxUE/JPPvo8YACfQUak
QbCCWIMrNkL6WJNEocfim04=
=XwRw
-----END PGP SIGNATURE-----