Results 1 to 22 of 22

Thread: SPF for mail

  1. #1

    SPF for mail

    Is anybody using this ? And is there pros and cons?



    Sender Policy Framework (SPF) fights return-path address forgery and makes it easier to identify spoofs

    http://spf.pobox.com/

  2. #2
    Join Date
    Jun 2000
    Location
    Washington, USA
    Posts
    5,990
    I'm using it on a few domains, works quite well for me. As well, I check SPF records, and I certainly cut down on phishing e-mails.

  3. #3
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,164
    No cons that I can see so long as you do it properly, I'm using it and have also implemented into cPanel DNS zone templates.

    Dan
    █ Dan Kitchen | Technical Director | Razorblue
    █ ddi: (+44) (0)1748 900 680 | e: dkitchen@razorblue.com
    █ UK Intensive Managed Hosting, Clusters and Colocation.
    █ HP Servers, Cisco/Juniper Powered BGP Network (AS15692).

  4. #4
    No cons on publishing an SPF record. Infact everyone should publish SPF records for all their domains.

    As for implementing SPF checking on incoming mail? You might lose some legitimate emails.

  5. #5
    Join Date
    Jul 2003
    Location
    Nothing but, net
    Posts
    2,064
    Originally posted by RazorBlue - Dan
    No cons that I can see so long as you do it properly, I'm using it and have also implemented into cPanel DNS zone templates.

    Dan
    Same here.

    No ill effects and everything appears to be good.

  6. #6
    Join Date
    Feb 2003
    Location
    Bay Area, CA
    Posts
    215
    Unfortunately the system is quite flawed and will take a long time to be adopted on a wide scale (if ever).

    Spammers have been adding SPF records in order to get by this system...in fact a spammer was the first ever to use an SPF record.

    It can't really hurt to add the records, and filtering using the records may cut down on some spam, but to think this is the solution to the spam problem is quite a stretch. I wouldn't put much effort into adopting this system.

  7. #7
    The system doesn't claim to stop spam!

    The system claims to stop forged emails/emails with forged headers. And in turn reduce generation of bounce messages to the innocent party.

    The system works very well for what it claims to do!

    From http://spf.pobox.com
    What is SPF?

    SPF is Sender Policy Framework

    SPF fights return-path address forgery and makes it easier to identify spoofs.
    Sender ID adds PRA checking.
    Domain owners identify sending mail servers in DNS.
    SMTP receivers verify the envelope sender address against this information, and can distinguish authentic messages from forgeries before any message data is transmitted.

  8. #8
    Join Date
    Jul 2003
    Location
    Nothing but, net
    Posts
    2,064
    Originally posted by Huminie
    Unfortunately the system is quite flawed and will take a long time to be adopted on a wide scale (if ever).

    Spammers have been adding SPF records in order to get by this system...in fact a spammer was the first ever to use an SPF record.

    It can't really hurt to add the records, and filtering using the records may cut down on some spam, but to think this is the solution to the spam problem is quite a stretch. I wouldn't put much effort into adopting this system.
    Thank you for misunderstanding what the system was designed to do.

    This system was designed to prevent email from claiming to be sent from hotmail or yahoo when it was really sent from no address at all.

    This would at least help prevent phishing and joe jobs. It would also stop spoofed spam which is a severe problem.

  9. #9
    You might lose some legitimate emails
    seems like this might be a con...?

  10. #10
    Join Date
    Jan 2004
    Location
    North Yorkshire, UK
    Posts
    4,164
    It's not a con, let me explain how it works. It's a great tool to stop people recieving e-mails such as those spoofs that many get from banks, eBay, etc etc.

    When an e-mail is sent out, say for example mail is being sent FROM hotmail TO yahoo.

    **First example - legit email**

    -The Mail is sent from Hotmail's servers
    -Yahoo's servers recieve it and look for hotmail.com's SPF record.
    -Hotmail's SPF record says mail can only come from the 1.1.1.0/24 IP range.
    -The email came from this range, and is recognised as OK, and delivered to the user.

    **Second example - spoofed e-mail**

    -The Mail is sent from Hotmail's servers
    -Yahoo's servers recieve it and look for hotmail.com's SPF record.
    -Hotmail's SPF record says mail can only come from the 1.1.1.0/24 IP range.
    -The email didn't come for this range and is flagged as negative.
    -The email doesn't get delivered.
    █ Dan Kitchen | Technical Director | Razorblue
    █ ddi: (+44) (0)1748 900 680 | e: dkitchen@razorblue.com
    █ UK Intensive Managed Hosting, Clusters and Colocation.
    █ HP Servers, Cisco/Juniper Powered BGP Network (AS15692).

  11. #11
    Join Date
    Feb 2003
    Location
    Bay Area, CA
    Posts
    215
    I have a very good understanding of what SPF claims to do and what the perceived benefit will be and it is my opinion that implementing the use of SPF is not worth the time it takes to implement. (And it doesn't take much time, so what does that say?)

    It won't stop spoofs, it won't stop phishing and it won't stop spam. I will not waste my time implementing a system with so few benefits when there are some many better ways to address all these issues.

    If you guys are using it and perceive a benefit, then good for you. I personally can't recommend this as a solution that provides any real world value and the slow adoption rate of the technology suggests others agree with me as well.

  12. #12
    Originally posted by Huminie
    I have a very good understanding of what SPF claims to do and what the perceived benefit will be and it is my opinion that implementing the use of SPF is not worth the time it takes to implement. (And it doesn't take much time, so what does that say?)

    It won't stop spoofs, it won't stop phishing and it won't stop spam. I will not waste my time implementing a system with so few benefits when there are some many better ways to address all these issues.
    It says, 1.) Possible Spammer/Spoofer 2.) You'd take more time to discuss why not to implement it then actually taking the little amount of time to implement it.

    Norton, McAfee - won't stop viruses, does that stop you from using Antivirus software?

    Nothing can stop spam right now, but the industry can definitely take measures to reduce it. If you're not one of them, that makes one addtional VAS for everyone else who does.

    When used in combination with DomainKey's the solution is quite powerful, that in conjunction with Spam Software, a better solution than just having spam software. The point isn't to be perfect, but to continue the effort to reduce spam.

  13. #13
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    798
    Originally posted by Huminie
    I have a very good understanding of what SPF claims to do and what the perceived benefit will be and it is my opinion that implementing the use of SPF is not worth the time it takes to implement. (And it doesn't take much time, so what does that say?)

    It won't stop spoofs, it won't stop phishing and it won't stop spam. I will not waste my time implementing a system with so few benefits when there are some many better ways to address all these issues.

    If you guys are using it and perceive a benefit, then good for you. I personally can't recommend this as a solution that provides any real world value and the slow adoption rate of the technology suggests others agree with me as well.
    You're saying that because all SPF does is help to identify spoofs instead of being the swiss army knife solution for phishing, spam, etc that you will debunk it's value? How narrow of a view... you don't work for Microsoft, do you?

  14. #14
    Join Date
    Jan 2005
    Location
    San Francisco/Hot Springs
    Posts
    991
    I use it, it seems to work.
    On the servers that I have it setup on, it seems to reject enough forged mail for me to notice heh.
    AppliedOperations - Premium Service
    Bandwidth | Colocation | Hosting | Managed Services | Consulting
    www.appliedops.net

  15. #15
    Join Date
    Feb 2003
    Location
    Bay Area, CA
    Posts
    215
    One of my favorite expressions is "work smarter not harder". I guess that about sums it up.

  16. #16
    SPF is about working smarter not harder.

    Rather then wasting server resources processing virus laden email claiming to be from Microsoft, check if they were sent from Microsoft using SPF.

    I've been using it for my outbound and inbound mail, and it is useful. In fact, it's extremely quick adoption and rapid pickup by major players (who have taken years and years on other ideas) is evidence of the obvious value of SPF.

    Given your indepth knowladge of SPF, I would suggest contacting the major spam groups (who are also informed on the issue of spam) along with Amazon, Apple, DoubleClick, Eart*****, Google, O'Reilly, Symantec, Verizon and AOL, to alert them that they have hired idiots who have done something useless.

    The fact is, SPF stops cold the risk that innocent domains get blamed for spam attacks. You have obviously never run a business with a large user base or a high value website. I can tell you that having someone spam using your domain is a huge pain in the neck. This fixes that.

    Clearly doesn't pick up purported sender, which I do think was an oversight, but flexability is being built in to addess some of these added isssues, along with new proposals.

    Implementation is trivial, and good practice actually for further approaches as they are developed.

  17. #17
    Join Date
    Feb 2003
    Location
    Bay Area, CA
    Posts
    215
    I have stated my opinion about SPF. I am sorry you don't agree with it. That is your choice, and everyone else's. The reason we have these discssions and boards is to get different points of view.

    For what its worth I use a system that does everything SPF does plus more, is easier to implement and never wastes server resources.

    Also, your assumption about what I and my business do is wrong. The company I work for processes more email than most of the companies you listed.

  18. #18
    You can lose some legitimate email by implement SPF checking on incoming emails. This can usually happen in the case where some people use their ISP email account to send mail but set the sender and relpy to addresses as something else other than their ISP email account. Quite a few people do this, so you could lose mail from these people. Another issue is for those people who use forwarding email accounts.

    Publishing an SPF record on the hand has no ill effects whatsoever and the benefits are great.

    I have no idea what Huminie is referring to here as ill effects. And I sure am not aware of any of these great alternatives that he doesnt speak about but says exists. Care to share some of them with us?

    I'll say it again, SPF does what it claims to do and is great at it!

    PS: By the way, SPF is being widely adopted!
    Hotmail, AOL, Everyone.net, and several other ISPs and email providers have already published SPF records. AOL takes it a step further requesting their whitelisted domains to publish SPF records. http://postmaster.aol.com/spf/

    Even on the hosting side, you find major control panel manufacturers including or having an option to publish SPF records seamlessly for domains created through the control panel system.

  19. #19
    Thanks for the ...responses as it has answered a few question I hadnot thought of

    regards

  20. #20
    Join Date
    Mar 2004
    Location
    New Jersey
    Posts
    798
    Originally posted by Huminie
    I have stated my opinion about SPF. I am sorry you don't agree with it. That is your choice, and everyone else's. The reason we have these discssions and boards is to get different points of view.
    I, for one, won't argue that you certainly have the right to express your opinion. I'm just having a hard time understanding where yours comes from.

    You say that SPF offers no value for the effort, but acknowledge it's an extremely simple process. You say that you understand what it does, but continue to point out that it doesn't stop spam, spoofing or phishing. You point out slow adoption then sidestep the issue of it being adopted by some of the most popular ISPs and businesses on the internet with "my business is better than them". I still don't see why you think it won't work. Correct me if I'm wrong, but unless a spammer controls my DNS information the system will work, no?

    To grace5: The bottom line is this: in the changing world of the web, SPF is one more way to add to the layers of protection you should be implementing on your server(s). At the very least, it doesn't hurt to add an SPF line to your DNS zone file. If whizzing on a spark plug and shoving it in a USB port would help reduce costs for my customers I am sure I would do it.

  21. #21
    Join Date
    Jun 2000
    Location
    Washington, USA
    Posts
    5,990
    I would say, that when checking SPF records, you shouldn't accept/reject based on them. But, use it in conjunction with other systems, such as SpamAssassin.

  22. #22
    Join Date
    Jul 2003
    Location
    Olean, NY
    Posts
    143
    I don't publish spf records for a simple reason: SPF checks the sending IP address, and compares it to the list of IP addresses allowed to send mail from that domain.

    As an IHP, I encourage my users to send messages from their ISP's smtp servers if at all possible. It cuts down on our bandwidth, gives them faster service, and ensures that they can still send mail if their ISP blocks port 25.

    Since I can't maintain a list of the valid IP addresses for every customer's ISP's smtp server, it means that publishing an SPF record would cause my customer's mail to get rejected. If I used a wildcard it would defeat the whole purpose of SPF.

    I do use spf filtering for incoming emails. If an ESP chooses to publish an spf record, it means that they have a business model that supports a list of trusted smtp servers, and I would like to utilize that information. Filtering incoming SPF certainly helps cut down on all the forged hotmail/yahoo messages, and also protects customers against phishing.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •