spf-discuss
[Top] [All Lists]

Re: mail administrator certification example

2004-07-30 09:49:27
John Keown wrote:
Below you can all see the spf records published by surgeweb.com. This is an
example of good intentions of a mail administrator trying to do the right
thing but lacking an understanding of the internet and ip space. You can see
that the spf records for ip is incorrect. the did not specify a boundary
when describing the class c range. They used .1 not .0. I have sent 2 email
to the postmaster informing of his error and either he did not receive the
emails, just ignored them or feel he is correct in his notation.

The end results is his spf records are useless as they do not parse
properly.


v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

Not totally useless as it happens.

I've just had a spammer try to deliver a mail via several different open proxies/compromised hosts as follows:

Open proxy      Envelope Sender                         SPF record

213.186.34.52 pegging(_at_)backtomyplace(_dot_)com v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

211.169.249.106 moderns(_at_)animal-act(_dot_)com v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

211.169.249.106 engineering(_at_)ilovebanging(_dot_)com v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

220.95.231.150 oratory(_at_)the-house-of-commons(_dot_)com v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

213.186.34.52 plausible(_at_)norbertcolon(_dot_)com v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

213.186.34.52 unties(_at_)ankle-biter(_dot_)com v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

213.186.34.52 genres(_at_)the-end-is-nigh(_dot_)com v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

211.169.249.106 molests(_at_)silly-old-moo(_dot_)com v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

202.101.18.176 unmasked(_at_)i-love-cambridge-united(_dot_)com v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

213.186.34.52 temptress(_at_)three-iron(_dot_)com v=spf1 ip4:216.65.64.1/24 ip4:216.65.3.1/24 a:send1.surgeweb.com mx -all

Since the milter I'm using *was* able to parse these records properly as per the SPF spec., my server was able to reject all of these mails. After that, the spammer (who really does seem to like surgeweb's domains) gave up.

Paul.


<Prev in Thread] Current Thread [Next in Thread>