On 3 Aug 2004 at 14:09, Daniel Lorch wrote:
We would like to deploy SPF in a shared hosting enviroment. The main problem
we're facing is that customers are hosting their domains with us and are
strongly advised to use our SMTP (with -AUTH or -after-pop), but quite often
they're not. Instead, they're using their ISPs SMTP server.
One idea we came up with was to allow the customers to identify the
mailservers they are using in their control panel, which are then written
back to their domain's TXT records. (...)
I am convinced SPF will cause trouble when it's
not properly configured - customers listing wrong servers, "forget" to update
their SPF records etc..).
You could add the "exists" mechanism after all your accepted smtp-servers
and log detailed DNS-queries for it (see host -t txt altavista.com). So
you have a list of potential IPs your user used to send emails. You can
present this list to your user: "look, these are the IPs trying to send
email pretending to be you. Is that really you?". And all the user has to
do is to accept the IPs or not.
In our situation the best we can do for now is to publish "whitelisting only"
records, i.e. if the mail originates from one of our mailservers others can
consider it to be legitimate. According to the SPF specification i can prefix
mechanisms with "?" to make them neutral. If I had a domain "example.net" and
a TXT record like this:
"v=spf1 mx ?all"
do I understand this correctly that this will allow mails to originate from
all servers listed as MX in example.net (that's the intended whitelisting)
and do nothing if it originates from another server?
That's it. This is a very important form in the deployment phase, where
you have the risk of something going wrong. I would place the "exists"
mechanism and dns-logging method before your "?all" so you can see what
is really "passing through" your allowed servers ("mx" in this case) and
adapt your policy. If you mean by "whitelisting only" that you are not
marking as bad the "rest" of the internet IP space, then yes. But I would
say that SPF is always about whitelisting your hosts, and the "?all" just
makes this whitelist a little more experimental.
Another issue I can see is that SA 3.0 does not give a lot of negative points
if the SPF record is valid (probably because of the assumption that spammers
will just by new throwaway domains and set up valid SPF records). From
50_scores.cf:
Yes, I would say that a "pass" does not mean "no spam", it just means
"the domain owner allowed this communication". So you have no guarantee
that the domain owner is not a spammer, thus the low scoring. But then
other SpamAssassin mechanisms will most likely detect it.
Any other thoughts? Am I overlooking something? Experiences?
I have a small user-base (just my wife and myself) in my domain, so the
risk is small, thus I have set up a "-all" policy and am logging all
stuff that passes my rules via DNS using the exists mechanism. I am
noting a constant grow in SPF-deployment on the MTA-side. My domain is
being misused by forgers regularly for almost a year, so I have a good
way to follow this development. It started with about 200 DNS-servers
checking the exists-record per day in february and now its at around 2000
checks per day. And this is just for my tiny little domain! :)
--
Ernesto Baschny <ernst(_at_)baschny(_dot_)de>
http://www.baschny.de - PGP: http://www.baschny.de/pgp.txt
Sao Paulo/Brasil - Stuttgart/Germany
Ernst(_at_)IRCnet - ICQ# 2955403