spf-discuss
[Top] [All Lists]

RE: HOWTO: track SPF requests to see who says to be you

2004-11-26 06:12:54
-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of Guy
Sent: Thursday, November 25, 2004 8:56 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] HOWTO: track SPF requests to see
who says to
be you


I log SPF hits now.  I don't need a second DNS server.  I just have an
exists:something-unique.watkins-home.com and grep for
"something-unique" in
my log files.  No problem.  In the example below I would just grep for
"spf-tracker" in the log file.

Am I missing something?

Yes  :)

You have your own FIRST DNS server to use to log the hits.

Most domain owners do not have their own DNS server.

For work I have my own DNS server, and I could log just fine.  But for my 
*personal* domain names,
they are hosted by a registrar, so I have no way to use the "exists" clause to 
log them.


Terry Fielder
Manager Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
terry(_at_)greatgulfhomes(_dot_)com
Fax: (416) 441-9085



Guy

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of
terry(_at_)ashtonwoodshomes(_dot_)com
Sent: Thursday, November 25, 2004 5:41 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] HOWTO: track SPF requests to see
who says to be
you

Well, Stephane beat me to the punch (I was working on a
howto).  Anyway...

But here's a problem:  most people do not have their own DNS
servers, and I
doubt their ISP would
co-operate with this config on the ISP DNS server.

So I was wondering if we could do something like this, but
instead of an
exists that hits a DNS
server, the exists (or whatever it is called) would hit a cgi
script running
on the domain owners
website and hence the cgi script could track and log the
(what will end up
being) SPF FAIL (or ?
result or whatever)

Without too much thought it is apparent that the current
exists mechanism
would not work, (even if
one faked a different domain and had a http answering port
53, because http
is TCP and the request
would be UDP).

Doh!

So would the developers be interested in allowing something
like an exists
that would do an http
call to allow for logging.

Naturally, the machine checking the SPF would have the right
to ignore that
http exists call (since
its purely for logging, and does represent a potential DOS attack by
resource overload).

I think it would be a big benefit to most vanity domains and
companies with
outsourced DNS (which is
most except some big ones I think)

Then the domain trying to deploy SPF can:
-test and see what will happen
-use it to discover any servers they forgot
-use it to discover any services (e.g. blackberry) which they
need to allow
their users to send from

Would the developers be accommodating to that if I was to
work on something
like that?


Terry Fielder
Manager Software Development and Deployment
Great Gulf Homes / Ashton Woods Homes
terry(_at_)greatgulfhomes(_dot_)com
Fax: (416) 441-9085


-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com]On Behalf Of 
Stephane
Bortzmeyer
Sent: Thursday, November 25, 2004 8:16 AM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: [spf-discuss] HOWTO: track SPF requests to see who
says to be
you


[The following text is distributed under the GFDL licence and
therefore can be added to any Web page about SPF. Fixing the english
mistakes is of course allowed.]

You want to publish SPF records but you fear that some of your email
will be rejected by SPF-checking sites?

You have heard that SPF records not ending in -all are for sissies
only but you're not sure?

You have read some people's messages on spf-discuss saying
there is no
problem with forwarding and no problem with roaming users,
but you do
not trust them?

You abide by the rule that changes in architecture should be
field-tested before being rolled out?

You are right. Here is a way to test what the SPF checkers will
see. You just need a DNS server able to log requests (we
will use BIND
9).

<troll>This is a patent-pending technique, invented by me.
I intend to
grant a RAND licence to anyone I like. The obvious prior
art does not
bother me, since the DNS records are not archived, it will be
impossible to prove that other people used that technique before
me.</troll>

First, you need a *dedicated* name server. Unfortunately,
there is no
way in BIND 9 to log requests on a per-zone or per-view
basis. You do
not need a dedicated machine but you need a dedicated name
daemon (you
can use several IP addresses on one machine, if there is already a
name server running, this is not covered in this HOWTO.)

Then, you need to configure it to log requests. In named.conf:

logging {
              channel "query_log" {
                   file "/var/tmp/query.log" versions 3 size 2m;
                   print-time yes;
                   print-category yes;
               };
              category "queries" { "query_log"; };
};

Read the BIND's ARM (Administrator Resource Manual) to get the
details. Basically, It tells BIND to log every query to
/var/tmp/query.log.

You must *restart* the name server. Reloading is not
sufficient. Then,
you should have a /var/tmp/query.log file and requests sent to the
name server will be logged in it.

Then, configure your name server to serve the SPF tracking zone:

options {
   ... (Other options)
      recursion no;
};

zone "spf-tracker.example.net" {
    type master;
    file "spf-tracker.example.net";
};

And in the spf-tracker.example.net file, you put something like:

$TTL    86400
@       IN      SOA   ns.spf-tracker.example.net.
hostmaster.example.net. (
                  2004112501         ; Serial
                      604800         ; Refresh
                       86400         ; Retry
                     2419200         ; Expire
                       86400 )       ; Negative Cache TTL
@       IN      NS      ns
@       IN      MX     0   0.0.0.0
@       IN      TXT   "v=spf1 -all"
ns       IN      A      X.Y.Z.T

And reload your name server. The last step is to actually delegate
spf-tracker.example.net to ns.spf-tracker.example.net (not
covered in
this HOWTO).

Then, it is time to modify your SPF record. Keep an eye on your
favorite draft-of-the-day, I use draft-schlitt-spf-00
(http://www.midwestcs.com/spf/spf_classic_libspf2/draft-schlit
t-spf-00.html)
and read about macros. I have choosen the following string to make the
actual DNS request:

%{i}._.%{h}._.%{s}._.%{r}.spf-tracker.example.net

although experience seems to indicate that %{r} is not widely
implemented.

To make the SPF checkers query that string, I add it in my SPF record,
just *before* the final "?all" (since we are testing, we use a ? for
the last mechanism):

example.net. IN TXT "v=spf1 mx
+exists:%{i}._.%{h}._.%{s}._.%{r}.spf-tracker.example.net ?all"

That's all. Soon, you will see SPF checkers starting to query you. You
can test right now by sending mail from various places and different
setups to echo(_at_)generic-nic(_dot_)net or 
spfenabled(_at_)pobox(_dot_)com(_dot_)

Here is a typical request, as logged by BIND:

25-Nov-2004 13:46:33.580 queries: client 208.58.1.193#17010: query:
80(_dot_)67(_dot_)170(_dot_)20(_dot_)_(_dot_)foo(_dot_)bar(_dot_)_(_dot_)bortzmeyer\(_at_)example(_dot_)net(_dot_)_(_dot_)r(_dot_)spf-track
er.example.net
IN A -

You can see that the SPF checker is 208.58.1.193 (a Pobox machine),
its SMTP client was 80.67.170.20, which announced itself in HELO as
foo.bar, the sender claimed to be bortzmeyer(_at_)example(_dot_)net(_dot_)

Writing the Python or Ruby script to parse the log and make statistics
is left as an exercice. In practice, it is more interesting to
manually examine the log: each line is a problem, a sender which did
not pass through your known SMTP senders. Either it was a worm or a
configuration bug that you should investigate before switching from
"?all" to "-all".





-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in
Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in
Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in
Atlanta features SPF and Sender ID.
To unsubscribe, change your address, or temporarily
deactivate your subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com