nanog mailing list archives
AW: SPF Configurations
From: "Andre Engel" <andre.engel () fhe3 com>
Date: Sat, 5 Dec 2009 01:13:17 +0100
John , Nice to meet you :-)
Right. The only major mail system that pays attention to SPF is Hotmail, but there are enough small poorly run MTAs that use it that an SPF record which lists your outbounds and ~all (not -all) can be marginally useful to avoid bogus rejections of your mail.
For example : host -t TXT hotmail.com hotmail.com TXT "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all" host -t TXT google.com : google.com TXT "v=spf1 include:_netblocks.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all" host -t TXT amazon.com : amazon.com TXT "v=spf1 ip4:207.171.160.0/19 ip4:87.238.80.0/21 ip4:72.21.193.0/24 ip4:72.21.196.0/22 ip4:72.21.208.0/24 ip4:72.21.205.0/24 ip4:72.21.209.0/24 ip4:194.154.193.200/28 ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24 ~all" amazon.com TXT "spf2.0/pra ip4:207.171.160.0/19 ip4:87.238.80.0/21 ip4:72.21.193.0/24 ip4:72.21.196.0/22 ip4:72.21.208.0/24 ip4:72.21.205.0/24 ip4:72.21.209.0/24 ip4:194.154.193.200/28 ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24 ~all" host -t TXT ebay.de : ebay.de TXT "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com ~all" ebay.de TXT "spf2.0/pra mx include:s._sid.ebay.com include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com ~all" host -t TXT 1und1.de : TXT "v=spf1 ip4:82.165.0.0/16 ip4:195.20.224.0/19 ip4:212.227.0.0/16 ip4:87.106.0.0/16 ip4:217.160.0.0/16 ip4:213.165.64.0/19 ip4:217.72.192.0/20 ip4:74.208.0.0/17 ip4:74.208.128.0/18 ip4:66.236.18.66 ip4:67.88.206.40 ip4:67.88.206.48 ~all" host -t TXT gmx.com : gmx.com TXT "v=spf1 ip4:213.165.64.0/23 ip4:74.208.5.64/26 ip4:74.208.122.0/26 -all" host -t TXT enterprisemail.de : enterprisemail.de TXT "v=spf1 a:mout.enterprisemail.de -all" etc
As everyone here should already know, the fundamental problem with SPF is that although it does an OK job of describing the mail sending patterns of dedicated bulk mail systems, it can't model the way that normal mail systems with human users work. But so deep is the faith of the SPF cult that they blame the world for not matching SPF rather than the other way around, believing that it prevent forgery, having redefined "forgery" as whatever it is that SPF prevents. As the operator of one of the world's more heavily forged domains (abuse.net) I can report that if you think it prevents forgery blowback, you are mistaken.
You do know that I love they way abuse.net flys: In mind of the following situation for instance a infection vector around millions of bots which are sending millions of forged mails within evil polymorphic files camouflage as your customers bills you will be glade to enforce the directive -all for a while . Sorry Im almost german : http://www.heise.de/security/meldung/1-1-warnt-Kunden-vor-gefaelschten-Rechn ungen-131420.html I know SPF is not the answer of all ....but sometimes it helps to secure a little bit of yours "critical customers infrastructure" and sometimes it helps to save your operative resources . I know there is a problem so far with forwarded emails but there is also a solution : The solution could be to rewrite the envelope from of all forwarded mail so that the given domain is a local domain with matching SPF records to the originating mail server (or no SPF records at all). You have to transform the original envelope from into a localpart and add some special local SRS domain to it. Find http://spf.pobox.com/srs.html <http://spf.pobox.com/srs.html> and http://www.libsrs2.org/ <http://www.libsrs2.org/> for a full description of SRS. In practice andre.engel () fhe3 com could receiving an email from misterX () google com where andre.engel () fhe3 com could be forwarded to andre.engel () hotmail de. Before forwarding the email to the hotmail server I could rewrite the envelope-from from misterX () google com <mailto:misterX () google com> to google.com=misterX () srs enterprisemail de srs.enterprisemail.de could be a valid domain for mails originating from our main mail clusters(enterprisemail) so possible SPF checks at hotmail would not bother. In case a bounce is generated at hotmail it could be delivered back to the SRS address, thus to our enterprisemail main mail cluster, where we would recognise the SRS scheme and "un-rewrite" it back to misterX () google com and deliver the mail onward to the misterX () google com mail system. But in the real world the rewriting isn't that simple as stated in the previous section. In fact you have to add some kind of checksum where the original mail address is mangled with a secret password, and a time stamp that makes the SRS address valid for some period of time. The mail address from above could look more like this: <SRS38=ldl23v=tz=google.com=MisterX () srs enterprisemail de> Every time a mail arrives that is an SRS address the password and timestamp could be checked, and faked or outdated recipients could be rejected. If you asked around drawbacks your right : SRS generates very long localparts. Mail servers should according to the RFC accept local parts with at least 63 characters. Most mail servers accept longer local parts, but unfortunately some won't. For those rare cases it is possible to configure a list of mail servers for which SRS won't be accomplished.
For rants about how badly the world and/or SPF stink, followups to Spam-L. For proposals about other anti-spam magic bullets, followups to ASRG.
Indeed Spam-L is the best place to talk about anti-spam . Indeed CII is the best place to talk about critical infrastructures ,indeed nanog is the best place to talk about networkstuff but we are mostly operators looking for a valuable , comfortable solution to protect and share information . I do not really know if this will be a little off topic . Cheers Andre -- Andre Engel Consulting Program Director, Email and Cyber Intelligence Services "..ehy my friend we seek the Grail!" FHE3 GmbH P: +49 721 869 5907 Scheffelstr. 17a M: +49 160 962 44476 76135 Karlsruhe andre.engel () fhe3 com http://www.fhe3.com/ Amtsgericht Mannheim, HRB 702495 Umsatzsteuer-Ident: DE254677931 Geschäftsführer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt This message (including any attachments) is the property of FHE3 and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
-----Ursprüngliche Nachricht----- Von: John Levine [mailto:johnl () iecc com] Gesendet: Freitag, 4. Dezember 2009 18:25 An: nanog () nanog org Betreff: Re: SPF ConfigurationsIf the customer insist on using their domain, then you would have tohavethe customer setup an SPF record within their domain that points toyouremail server IP blocks.Right. The only major mail system that pays attention to SPF is Hotmail, but there are enough small poorly run MTAs that use it that an SPF record which lists your outbounds and ~all (not -all) can be marginally useful to avoid bogus rejections of your mail.
As everyone here should already know, the fundamental problem with SPF is that although it does an OK job of describing the mail sending patterns of dedicated bulk mail systems, it can't model the way that normal mail systems with human users work. But so deep is the faith of the SPF cult that they blame the world for not matching SPF rather than the other way around, believing that it prevent forgery, having redefined "forgery" as whatever it is that SPF prevents. As the operator of one of the world's more heavily forged domains (abuse.net) I can report that if you think it prevents forgery blowback, you are mistaken.
For rants about how badly the world and/or SPF stink, followups to Spam-L. For proposals about other anti-spam magic bullets, followups to ASRG. R's, John
Current thread:
- SPF Configurations Jeffrey Negro (Dec 04)
- Re: SPF Configurations Suresh Ramasubramanian (Dec 04)
- Re: SPF Configurations Dave CROCKER (Dec 04)
- <Possible follow-ups>
- RE: SPF Configurations Jeffrey Negro (Dec 04)
- Re: SPF Configurations Bret Clark (Dec 04)
- Re: SPF Configurations James Bensley (Dec 04)
- Re: SPF Configurations John Levine (Dec 04)
- AW: SPF Configurations Andre Engel (Dec 04)
- Re: AW: SPF Configurations John R. Levine (Dec 04)
- AW: AW: SPF Configurations Andre Engel (Dec 05)
- Re: SPF Configurations Bret Clark (Dec 04)
- Re: SPF Configurations Lars Eggert (Dec 04)
- Re: SPF Configurations Sean Donelan (Dec 06)
- Re: SPF Configurations Bill Stewart (Dec 06)
- Re: SPF Configurations Sean Donelan (Dec 07)
- Re: Official Mail, was SPF Configurations John Levine (Dec 07)
- Re: SPF Configurations Michael Holstein (Dec 07)
- Re: SPF Configurations Douglas Otis (Dec 07)
- Re: SPF Configurations Suresh Ramasubramanian (Dec 07)