[TCLUG] DNS and SPF?

Sun Jul 4 03:12:09 CDT 2004

Matthew S. Hallacy writes:
> Spam does not land in my mailbox, messages returned by qmail,
> misconfigured postfix, old IIS servers, and a few specialized setups
> due to an accept *, reject later policy means that I get
> a daily bombardment  of rejects from remote hosts due
> to my address being spoofed in everything
> from 'XXXX STOCK IS ON THE RISE' to virus emails.

So reject everything with a null envelope sender.

> SPF is not meant to be a spam killer, it's meant to reduce the
> effectiveness of third party relays (compromised windows
> boxes, open relays, etc), ie, forged email.

SPF won't do anything to prevent that.  There will always be domains to
forge.  Additionally, spammers could simply add SPF records for their throw
away domains.

> Servers with SPF turned on would immediately recognize that
> poptix.net does not send mail from *.comcast.net, *.verizon.net,
> or any other large pool of  infected windows machines. This
> stops _whatever_ is inbound immediately and saves me the headache.

Ahh.  That is a benefit that I hadn't considered.  Unfortunately, it relies
on everyone else blocking incoming mail that doesn't match SPF.

> 1) There is no reaosn for mail, once it leaves my mail server, to
> travel through any other servers that are not on the MX list for
> the destination domain.

That's fine for you, but what about people who do forward their mail?

> spammers registering domains to send mail from
> is handled by other mechanisms, and provides a more direct link
> back to the spammer.

You obviously don't know much about spammers.  It's easy to anonymously
register domains with fake information.  No one notices until the domains
are used.  By the time they are terminated or blocked, the spammers have
switched domains.

> 7) Rejecting mail from people who choose to relay mail through
> unauthorized servers is fine with me. If they cannot be bothered
> to the proper mail server they can assume
> the risk of having their mail rejected.

What if your domain is hosted on your cable modem or DSL service, but your
IP address is blacklisted?

-- 
David Phillips <david at acz.org>
http://david.acz.org/

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list