Does SPF Really Help Curtail Forged Email Headers? 90
Intelopment asks: "My Domain name has recently been used a lot in the 'Reply' field by some inconsiderate spammer, and my ISP has suggested that I consider using the Open SPF service as a way to stop spammers from using my domain name for in their mail headers field. From what I can tell, it requires the receiving mail server to actually participate in the SPF service, which is where I have my doubts. Does anyone have any experience with this service? Does it work? Are many ISPs using Open SFP?"
drastically reduced mail server bounces (Score:5, Interesting)
I cannot be certain whether this is due to the spammer observing my implementation of SPF and no longer using my domain as a return address, or whether the spammer still uses my domain but mail servers have stopped sending me the bouncebacks.
Either way I+internet won, spammer lost.
Re:Some ISPs do, some don't.. but what's it cost y (Score:3, Interesting)
It may not have a huge effect, but as a domain owner, I have had my domain 'used' a few times as the return address. It hasn't happened since I set up the SPF record. (Likely spammers don't think I'm as nice a target now.)
Not worth the complaints (Score:3, Interesting)
It Improves Your Fun (Score:3, Interesting)
The best part of using SPF, for me, is responding to automated mailers that send me messages saying "Your message to us failed an SPF check!" I always have great fun explaining that failing an SPF check means that they would have a better chance of reaching the person who actually sent the message by picking a random address on a random other domain.
It worked for me! (Score:4, Interesting)
I had lots of problems with my e-mail address being forged by spammers.
When I put in an SPF record, it stopped immediatly.
How I implemented SPF in an Exchange environment (Score:2, Interesting)
It allows me to set up a whitelist of the legitimate email addresses in my domain, and if an email tries to come in to an address that isn't on the whitelist, the connection is immediately dropped. So no more endless stream of "abernathy@mydomain.com,abraham@mydomain.com..." spam clogging up my badmail folder. YMMV, but I tried a number of different antispam products before settling on this one, and I'm a very happy camper.
Re:Please do - it costs nothing to publish, and .. (Score:3, Interesting)
Recommend? Those bastards, their asshat defaults, and their RTFM-impaired users are responsible for some 40% of the shite in my mailbox right now (though that is unusually high, I grant you). It is NOT acceptable to bounce "back" to an innocent victim. It is NOT acceptable to advertise the piece of shit responsible in the subject header either - though I like to imagine competent sysadmins the world over vowing not to buy the product as a direct result.
If everyone set up a rule to forward anything with "Message you sent blocked by Barracuda" to sales@barracuda.com with a "please fix your defaults", would that constitute a DDoS or just a mass appeal? (Yeah, I posted an email address. I figure they should be able to handle it, no?)
Log data... (Score:3, Interesting)
So, someone is checking.
e-commerce provider mandates all customers use SPF (Score:2, Interesting)
The problem is most ISP's and other hosting providers don't control the entire e-mail application stack enough to implement it without an army of technical support people, it's just not economical. That and diagnosing mail problems is too freaking difficult for low level helpdesk people.
It's like credit card fraud, the entire system will need to be retrofitted before it can be significantly reduced or even eliminated, but the short term of cost of dealing with fraud outweights the long term upfront cost of retrofitting billions of dollars worth of swipes, magstrip readers, and point of sale systems.
Eventually the problem will get bad enough and/or a big mail provider (hotmail, gmail, yahoo) will grow a pair and start flagging email that arrives at domains without SPF as spam. Either that or something like Y2K will happen again and require everybody to update to stuff that supports SPF, this could be as soon as 2010 when we run out of IP addresses.
Wouldn't hold my breath though
SPF is broken by design (Score:2, Interesting)
S: 200 happy to meet you sir
C: helo example.com
S: 220 happy to meet you
C: mail from:
S: 220 ok
C: rcpt to:
S: 220 ok
C: data
S: 220 begin
C: Subject: v1ag7a
C: From: customersupport@ebay.com
C: To: you@yourdomain.com
C:
C: message body
C: .
You see how the mail from envelope can be manipulated to hold a domain that differs from the message body headers. This is ok for SPF since otherwise it would break email lists.
What it might do is help prevent back scatter spam from hitting your domain if the original recipient's mail server DOES check the SPF for the mail from... that is all.