Does SPF Really Help Curtail Forged Email Headers?

Intelopment asks: "My Domain name has recently been used a lot in the 'Reply' field by some inconsiderate spammer, and my ISP has suggested that I consider using the Open SPF service as a way to stop spammers from using my domain name for in their mail headers field. From what I can tell, it requires the receiving mail server to actually participate in the SPF service, which is where I have my doubts. Does anyone have any experience with this service? Does it work? Are many ISPs using Open SFP?"

drastically reduced mail server bounces

[SkunkPussy]

I used to receive 30 bouncebacks a day due to spam. I switched to SPF, and it didnt immediately make a difference. After several weeks I noticed I was receiving maybe 1 or 2 bouncebacks a day.

I cannot be certain whether this is due to the spammer observing my implementation of SPF and no longer using my domain as a return address, or whether the spammer still uses my domain but mail servers have stopped sending me the bouncebacks.

Either way I+internet won, spammer lost.

Re:Some ISPs do, some don't.. but what's it cost y

[Aladrin]

I was initially like 'Why do I care?' but once I finally realized that it could help prevent people from using my domain name to spam -with- (rather than -to-), I was all for it. Especially since, as you note, it costs me nothing but a bit of time to set up. (And not much, since I use Google's mail servers, and they practically push the information on you.)

It may not have a huge effect, but as a domain owner, I have had my domain 'used' a few times as the return address. It hasn't happened since I set up the SPF record. (Likely spammers don't think I'm as nice a target now.)

Not worth the complaints

[braddeicide]

We checked SPF on all incoming mail to our ISP, it worked for a while, but eventually it wasn't worth the effort of dealing with legit mis-configured companies. Not to mention the fact customers wouldn't believe it wasn't our fault. Yes even banks make mistakes.

It Improves Your Fun

[chromatic]

The best part of using SPF, for me, is responding to automated mailers that send me messages saying "Your message to us failed an SPF check!" I always have great fun explaining that failing an SPF check means that they would have a better chance of reaching the person who actually sent the message by picking a random address on a random other domain.

It worked for me!

[mophab]

I think the spammers check the SPF records, and if there is one they don't forge your address.
I had lots of problems with my e-mail address being forged by spammers.
When I put in an SPF record, it stopped immediatly.

How I implemented SPF in an Exchange environment

[adminstring]

For several years I've been running LogSat Software's Spam Filter ISP [logsat.com] in front of my Exchange server. It uses SPF, blacklists, and Bayesian filtering to keep spam out, and between SPF and the blacklists, about 97% of the incoming spam connections I used to get are now disconnected immediately. The savings in bandwidth (and in processing power and storage space on my mail server) has been enormous.

It allows me to set up a whitelist of the legitimate email addresses in my domain, and if an email tries to come in to an address that isn't on the whitelist, the connection is immediately dropped. So no more endless stream of "abernathy@mydomain.com,abraham@mydomain.com..." spam clogging up my badmail folder. YMMV, but I tried a number of different antispam products before settling on this one, and I'm a very happy camper.

Re:Please do - it costs nothing to publish, and ..

[6Yankee]

Barracuda (Can't recommend these guys enough)

Recommend? Those bastards, their asshat defaults, and their RTFM-impaired users are responsible for some 40% of the shite in my mailbox right now (though that is unusually high, I grant you). It is NOT acceptable to bounce "back" to an innocent victim. It is NOT acceptable to advertise the piece of shit responsible in the subject header either - though I like to imagine competent sysadmins the world over vowing not to buy the product as a direct result.

If everyone set up a rule to forward anything with "Message you sent blocked by Barracuda" to sales@barracuda.com with a "please fix your defaults", would that constitute a DDoS or just a mass appeal? (Yeah, I posted an email address. I figure they should be able to handle it, no?)

Log data...

[rthille]

Since Mar 26th 2007 I've gotten dns requests for SPF (type 99) records 35 times, and text records (possibly/probably? for SPF) 692 times.

So, someone is checking.

e-commerce provider mandates all customers use SPF

[gru3hunt3r]

http://www.zoovy.com/ [zoovy.com] Zoovy.com is an e-commerce provider that requires all customers using their mail service to use restricted SPF records for their domains. This has cut down on our SPAM being sent both to and more importantly *from* our domains by spammers considerably.

The problem is most ISP's and other hosting providers don't control the entire e-mail application stack enough to implement it without an army of technical support people, it's just not economical. That and diagnosing mail problems is too freaking difficult for low level helpdesk people.

It's like credit card fraud, the entire system will need to be retrofitted before it can be significantly reduced or even eliminated, but the short term of cost of dealing with fraud outweights the long term upfront cost of retrofitting billions of dollars worth of swipes, magstrip readers, and point of sale systems.

Eventually the problem will get bad enough and/or a big mail provider (hotmail, gmail, yahoo) will grow a pair and start flagging email that arrives at domains without SPF as spam. Either that or something like Y2K will happen again and require everybody to update to stuff that supports SPF, this could be as soon as 2010 when we run out of IP addresses.

Wouldn't hold my breath though ... my prediction is it will probably happen sometime after IPv6 is rolled out.

SPF is broken by design

[eneville]

Consider the following:

S: 200 happy to meet you sir
C: helo example.com
S: 220 happy to meet you
C: mail from:
S: 220 ok
C: rcpt to:
S: 220 ok
C: data
S: 220 begin
C: Subject: v1ag7a
C: From: customersupport@ebay.com
C: To: you@yourdomain.com
C:
C: message body
C: .

You see how the mail from envelope can be manipulated to hold a domain that differs from the message body headers. This is ok for SPF since otherwise it would break email lists.

What it might do is help prevent back scatter spam from hitting your domain if the original recipient's mail server DOES check the SPF for the mail from... that is all.