Mailing List Archive: SPF: Help

Spoofing

Index | Next | Previous | View Threaded

jmaas at msn

Oct 3, 2007, 1:39 PM

Post #1 of 19 (5860 views)
Permalink

Spoofing

Greetings,

I have a client who has recently started receiving a lot of non delivery
reports for emails he has not sent, his email address is being used as the
from address.

Please forgive a novice question would a SPF record for the clients email
domain help prevent this?

His current email address is domain using a Comcast Business Static IP
address.

Thanks in advance.

Justin Maas

jmaas [at] msn

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=49481833-96772e
Powered by Listbox: http://www.listbox.com

heze54 at hezesoft

Oct 3, 2007, 1:50 PM

Post #2 of 19 (5726 views)
Permalink

Re: Spoofing [In reply to]

Hi,

Have you implemented SPF at your mail server software and publish the
txt dns record?

Best regards

heze54

Justin Maas wrote:

>Greetings,
>
>
>
>I have a client who has recently started receiving a lot of non delivery
>reports for emails he has not sent, his email address is being used as the
>from address.
>
>
>
>Please forgive a novice question would a SPF record for the clients email
>domain help prevent this?
>
>
>
>His current email address is domain using a Comcast Business Static IP
>address.
>
>
>
>Thanks in advance.
>
>
>
>Justin Maas
>
>
>
>jmaas [at] msn
>
>
>
>
>
>
>
>
>
>-------------------------------------------
>-----------------------------------------------------------------------
>Archives at http://archives.listbox.com/spf-help/current/ or
>http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
>To unsubscribe, change your address, or temporarily deactivate your
>subscription,
>please go to http://v2.listbox.com/member/?&
>Powered by Listbox: http://www.listbox.com
>
>

Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO AMBIENTE
Mensaje analizado y protegido, tecnologia antivirus amavis+clamav

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=49484899-99f515
Powered by Listbox: http://www.listbox.com

jmaas at msn

Oct 3, 2007, 2:10 PM

Post #3 of 19 (5729 views)
Permalink

RE: Spoofing [In reply to]

No we have not or DNS host (Verio) to the best of my knowledge does not
support txt records.

Thanks

-----Original Message-----
From: heze54 [mailto:heze54 [at] hezesoft]
Sent: Wednesday, October 03, 2007 1:51 PM
To: spf-help [at] v2
Subject: Re: [spf-help] Spoofing

Hi,

Have you implemented SPF at your mail server software and publish the
txt dns record?

Best regards

heze54

Justin Maas wrote:

>Greetings,
>
>
>
>I have a client who has recently started receiving a lot of non delivery
>reports for emails he has not sent, his email address is being used as the
>from address.
>
>
>
>Please forgive a novice question would a SPF record for the clients email
>domain help prevent this?
>
>
>
>His current email address is domain using a Comcast Business Static IP
>address.
>
>
>
>Thanks in advance.
>
>
>
>Justin Maas
>
>
>
>jmaas [at] msn
>
>
>
>
>
>
>
>
>
>-------------------------------------------
>-----------------------------------------------------------------------
>Archives at http://archives.listbox.com/spf-help/current/ or
>http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
>To unsubscribe, change your address, or temporarily deactivate your
>subscription,
>please go to http://v2.listbox.com/member/?&
>Powered by Listbox: http://www.listbox.com
>
>

Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO
AMBIENTE
Mensaje analizado y protegido, tecnologia antivirus amavis+clamav

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?&
Powered by Listbox: http://www.listbox.com

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=49493099-872477
Powered by Listbox: http://www.listbox.com

scott at kitterman

Oct 3, 2007, 2:18 PM

Post #4 of 19 (5734 views)
Permalink

Re: Spoofing [In reply to]

On Wednesday 03 October 2007 16:39, Justin Maas wrote:
> Greetings,
>
>
>
> I have a client who has recently started receiving a lot of non delivery
> reports for emails he has not sent, his email address is being used as the
> from address.

From or Mail From/Return Path (it makes a big difference)?

> Please forgive a novice question would a SPF record for the clients email
> domain help prevent this?

Maybe. It would probably reduce it some due to receivers rejecting at SMTP
time and not generating a post-SMTP bounce. It may stop it as sometimes
spammers move on once a domain has a complete SPF record.

> His current email address is domain using a Comcast Business Static IP
> address.
>
If that's the only source of legitimate mail for your customer's domain, then
the SPF record would be:

v=spf1 ip4:aaa.bbb.ccc.ddd -all

You should also publish a record for the HELO name of the server (it would be
the same in this case).

Scott K

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=49493416-34c29c
Powered by Listbox: http://www.listbox.com

richp at indplay

Oct 3, 2007, 2:28 PM

Post #5 of 19 (5727 views)
Permalink

RE: Spoofing [In reply to]

We had the same problem with 1and1. We use DNSMadeEasy together with
1and1 to implement SPF for our domain.

A related question. How do you implement the HELO record?

Thanks, Rich

Richard Parenteau, Operations
inDplay Inc., 3000 Bridge Parkway, Redwood Shores, CA 94065
richp [at] indplay +1(408) 829-8315 direct +1(815) 572-5117 fax

-----Original Message-----
From: Justin Maas [mailto:jmaas [at] msn]
Sent: Wednesday, October 03, 2007 2:10 PM
To: spf-help [at] v2
Subject: RE: [spf-help] Spoofing

No we have not or DNS host (Verio) to the best of my knowledge does not
support txt records.

Thanks

-----Original Message-----
From: heze54 [mailto:heze54 [at] hezesoft]
Sent: Wednesday, October 03, 2007 1:51 PM
To: spf-help [at] v2
Subject: Re: [spf-help] Spoofing

Hi,

Have you implemented SPF at your mail server software and publish the
txt dns record?

Best regards

heze54

Justin Maas wrote:

>Greetings,
>
>
>
>I have a client who has recently started receiving a lot of non
delivery
>reports for emails he has not sent, his email address is being used as
the
>from address.
>
>
>
>Please forgive a novice question would a SPF record for the clients
email
>domain help prevent this?
>
>
>
>His current email address is domain using a Comcast Business Static IP
>address.
>
>
>
>Thanks in advance.
>
>
>
>Justin Maas
>
>
>
>jmaas [at] msn
>
>
>
>
>
>
>
>
>
>-------------------------------------------
>-----------------------------------------------------------------------
>Archives at http://archives.listbox.com/spf-help/current/ or
>http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
>To unsubscribe, change your address, or temporarily deactivate your
>subscription,
>please go to http://v2.listbox.com/member/?&
>Powered by Listbox: http://www.listbox.com
>
>

Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO
AMBIENTE
Mensaje analizado y protegido, tecnologia antivirus amavis+clamav

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?&
Powered by Listbox: http://www.listbox.com

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?&
e
Powered by Listbox: http://www.listbox.com

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=49497363-842d27
Powered by Listbox: http://www.listbox.com

richp at indplay

Oct 3, 2007, 2:36 PM

Post #6 of 19 (5738 views)
Permalink

RE: Spoofing [In reply to]

Hi, We had the same problem with 1and1. We use DNSMadeEasy together
with 1and1 to implement SPF for our domain.

A related question. How do you implement the HELO record?

Thanks, Rich

Richard Parenteau, Operations
inDplay Inc., 3000 Bridge Parkway, Redwood Shores, CA 94065
richp [at] indplay +1(408) 829-8315 direct +1(815) 572-5117 fax

-----Original Message-----
From: Justin Maas [mailto:jmaas [at] msn]
Sent: Wednesday, October 03, 2007 2:10 PM
To: spf-help [at] v2
Subject: RE: [spf-help] Spoofing

No we have not or DNS host (Verio) to the best of my knowledge does not
support txt records.

Thanks

-----Original Message-----
From: heze54 [mailto:heze54 [at] hezesoft]
Sent: Wednesday, October 03, 2007 1:51 PM
To: spf-help [at] v2
Subject: Re: [spf-help] Spoofing

Hi,

Have you implemented SPF at your mail server software and publish the
txt dns record?

Best regards

heze54

Justin Maas wrote:

>Greetings,
>
>
>
>I have a client who has recently started receiving a lot of non
delivery
>reports for emails he has not sent, his email address is being used as
the
>from address.
>
>
>
>Please forgive a novice question would a SPF record for the clients
email
>domain help prevent this?
>
>
>
>His current email address is domain using a Comcast Business Static IP
>address.
>
>
>
>Thanks in advance.
>
>
>
>Justin Maas
>
>
>
>jmaas [at] msn
>
>
>
>
>
>
>
>
>
>-------------------------------------------
>-----------------------------------------------------------------------
>Archives at http://archives.listbox.com/spf-help/current/ or
>http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
>To unsubscribe, change your address, or temporarily deactivate your
>subscription,
>please go to http://v2.listbox.com/member/?&
>Powered by Listbox: http://www.listbox.com
>
>

Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO
AMBIENTE
Mensaje analizado y protegido, tecnologia antivirus amavis+clamav

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?&
Powered by Listbox: http://www.listbox.com

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?&
e
Powered by Listbox: http://www.listbox.com

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=49500658-d533a5
Powered by Listbox: http://www.listbox.com

scott at kitterman

Oct 3, 2007, 2:54 PM

Post #7 of 19 (5725 views)
Permalink

Re: Spoofing [In reply to]

On Wednesday 03 October 2007 17:36, Richard Parenteau wrote:
> Hi, We had the same problem with 1and1. We use DNSMadeEasy together
> with 1and1 to implement SPF for our domain.
>
> A related question. How do you implement the HELO record?
>
It's a TXT record published for the hostname of your machine. E.g. for
example.com, it might be mail.example.com. Same rules for the record, just
for a different name.

Scott K

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=49515477-6108ed
Powered by Listbox: http://www.listbox.com

steve at teamITS

Oct 3, 2007, 2:55 PM

Post #8 of 19 (5725 views)
Permalink

RE: Spoofing [In reply to]

Justin Maas wrote on 10/3/2007 4:10:01 PM:

> No we have not or DNS host (Verio) to the best of my knowledge does
not
> support txt records.

Verio should...we use a couple of their channels for our web
hosting services, though we also run our own DNS for other reasons. If
you can't edit TXT records directly, send a request to tech support to
add/modify a TXT record for your domain.

-----
SPF FAQ: http://www.openspf.org/FAQ
Common mistakes: http://www.openspf.org/FAQ/Common_mistakes

- Steve Yates
- ITS, Inc.
- I have lost my mind, but it must be backed-up somewhere.

~ Taglines by Taglinator - www.srtware.com ~

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=49517848-dcda49
Powered by Listbox: http://www.listbox.com

d.wall at computer

Oct 3, 2007, 11:41 PM

Post #9 of 19 (5735 views)
Permalink

Re: Spoofing [In reply to]

>
> Please forgive a novice question would a SPF record for the clients email
> domain help prevent this?
>
My experience is that it won't help much. We have seen the same problem
when spammers hijack our email addresses and we have SPF and Sender ID
configured in our TXT records. On examination, it appears that they are
using the Return-Path with our email address, so any compliant SPF
checking system will reject it, but since there are so many email
systems around the world that don't do SPF checking on the receiving
end, the number of bounces that come back can be extremely high since
spammers send out millions of emails. It does seem that the spammers
move on eventually, using some other poor soul's email address for the
next batch of garbage.

David

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=49624888-166a65
Powered by Listbox: http://www.listbox.com

heze54 at hezesoft

Oct 4, 2007, 3:27 PM

Post #10 of 19 (5718 views)
Permalink

Re: Spoofing [In reply to]

Hi,

You are right, there are administrators who do not want to implement
SPF or the do not know ho to do this... or the dont matter.

I have been using SPF for 2,5 years and its wonderfull. I recomend to
use it now!!!, you'll feel the diference.

Best regards

heze54

David Wall wrote:

>
>>
>> Please forgive a novice question would a SPF record for the clients
>> email
>> domain help prevent this?
>>
>
> My experience is that it won't help much. We have seen the same
> problem when spammers hijack our email addresses and we have SPF and
> Sender ID configured in our TXT records. On examination, it appears
> that they are using the Return-Path with our email address, so any
> compliant SPF checking system will reject it, but since there are so
> many email systems around the world that don't do SPF checking on the
> receiving end, the number of bounces that come back can be extremely
> high since spammers send out millions of emails. It does seem that
> the spammers move on eventually, using some other poor soul's email
> address for the next batch of garbage.
>
> David
>
> -------------------------------------------
> -----------------------------------------------------------------------
> Archives at http://archives.listbox.com/spf-help/current/ or
> http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to
> http://v2.listbox.com/member/?&
> Powered by Listbox: http://www.listbox.com

Antes de imprimir piensa en tu responsabilidad y compromiso con el MEDIO AMBIENTE
Mensaje analizado y protegido, tecnologia antivirus amavis+clamav

-------------------------------------------
-----------------------------------------------------------------------
Archives at http://archives.listbox.com/spf-help/current/ or
http://www.gossamer-threads.com/lists/spf/help/ (easier to search)
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?member_id=1311530&id_secret=50172471-9706e6
Powered by Listbox: http://www.listbox.com

sabraham at cananinc

Dec 31, 2008, 7:01 AM

Post #11 of 19 (4961 views)
Permalink

RE: Spoofing [In reply to]

Oh! no Rob, the email address am sending mail from (sabraham [at] cananinc) is not the domain am having problem with. You right, (GoDaddy) managed incoming and outgoing mail for cananinc.com but this is not the domain am having issues with.
As for the domain am having issues with, all the incoming and outgoing mail are managed by in house Exchange Server 2007.

We registered our domain with (Hostway) and they are the one who host our website but email part is managed by us.
What I did was that, I put IP address of our exchange server in our MX record, for the exchange server to be able to send and receive email.
That’s how it's configured.

Thanks,
Abraham

-----Original Message-----
From: Rob MacGregor [mailto:rob.macgregor [at] gmail]
Sent: Wednesday, December 31, 2008 3:31 AM
To: spf-help [at] v2
Subject: Re: [spf-help] Spoofing

On Wed, Dec 31, 2008 at 07:35, Abraham Sanni <sabraham [at] cananinc> wrote:
> Please I need help on how to stop email spoofing for my organization .
>
> For the past 3 months now I have been receiving email from the users who
> does not have an account on our domain but this users using our domain to
> send mail to other legitimate users email account in our organization.
> Also, am receiving email that I didn't send. Am receiving email from my
> email account. For instance, From: sun [at] count
<---SNIP--->
> Am running Microsoft Exchange Server 2007 in my Organization and my domain
> is hosted by (hostway) formerly known as value web.

Is all your email routed through hostway, or do you send directly from
your Exchange server? I see your incoming email is managed by
secureserver.net (GoDaddy) - do you send out through them too?

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Dec 31, 2008, 12:28 PM

Post #12 of 19 (4954 views)
Permalink

Re: Spoofing [In reply to]

On Wed, Dec 31, 2008 at 15:01, Abraham Sanni <sabraham [at] cananinc> wrote:
> Oh! no Rob, the email address am sending mail from (sabraham [at] cananinc) is not the domain am having problem with. You right, (GoDaddy) managed incoming and outgoing mail for cananinc.com but this is not the domain am having issues with.
> As for the domain am having issues with, all the incoming and outgoing mail are managed by in house Exchange Server 2007.
>
> We registered our domain with (Hostway) and they are the one who host our website but email part is managed by us.
> What I did was that, I put IP address of our exchange server in our MX record, for the exchange server to be able to send and receive email.
> That's how it's configured.

MX records must be hostnames, not IP addresses. Using an IP address
may mean some people cannot send you email and some may refuse email
from you due to an invalid MX record.

That said, it would make your SPF record the very simple:

v=spf1 mx -all

Having published it in the domain's public DNS, you then need to check
SPF yourself. See the following list of known options:

http://www.openspf.org/Implementations

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

sabraham at cananinc

Dec 31, 2008, 6:39 PM

Post #13 of 19 (4957 views)
Permalink

RE: Spoofing [In reply to]

Sorry I mean A: record.
This is how it's configured: just for example

Czdg.com MX 10 mail.czdg.com

mail.czdg.com IN A 192.1.0.10

mail.czdg.com is the hostname for my email server and the IP address of that server is 192.1.0.10 then I published the spf record as follow:

v=spf1 ip4:192.1.0.10 -all

My in house domain controller end with .lacal for example:
controller.czdg.local so when I join email server to the domain, its full qualified name became mail.czdg.local and it has is own external IP address which is 192.1.0.10

I really appreciate your comments. Looking forward to read from you soon.

Thanks,
Abraham

-----Original Message-----
From: Rob MacGregor [mailto:rob.macgregor [at] gmail]
Sent: Wednesday, December 31, 2008 3:28 PM
To: spf-help [at] v2
Subject: Re: [spf-help] Spoofing

On Wed, Dec 31, 2008 at 15:01, Abraham Sanni <sabraham [at] cananinc> wrote:
> Oh! no Rob, the email address am sending mail from (sabraham [at] cananinc) is not the domain am having problem with. You right, (GoDaddy) managed incoming and outgoing mail for cananinc.com but this is not the domain am having issues with.
> As for the domain am having issues with, all the incoming and outgoing mail are managed by in house Exchange Server 2007.
>
> We registered our domain with (Hostway) and they are the one who host our website but email part is managed by us.
> What I did was that, I put IP address of our exchange server in our MX record, for the exchange server to be able to send and receive email.
> That's how it's configured.

MX records must be hostnames, not IP addresses. Using an IP address
may mean some people cannot send you email and some may refuse email
from you due to an invalid MX record.

That said, it would make your SPF record the very simple:

v=spf1 mx -all

Having published it in the domain's public DNS, you then need to check
SPF yourself. See the following list of known options:

http://www.openspf.org/Implementations

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Jan 1, 2009, 1:41 AM

Post #14 of 19 (4960 views)
Permalink

Re: Spoofing [In reply to]

On Thu, Jan 1, 2009 at 02:39, Abraham Sanni <sabraham [at] cananinc> wrote:
> Sorry I mean A: record.
> This is how it's configured: just for example
>
> Czdg.com MX 10 mail.czdg.com
>
> mail.czdg.com IN A 192.1.0.10
>
> mail.czdg.com is the hostname for my email server and the IP address of that server is 192.1.0.10 then I published the spf record as follow:
>
> v=spf1 ip4:192.1.0.10 -all

I'm assuming that you're making up IP addresses and domain names?

If so, then yes that record should be correct.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

sabraham at cananinc

Jan 1, 2009, 12:07 PM

Post #15 of 19 (4942 views)
Permalink

RE: Spoofing [In reply to]

Yes, am making it up just show how is configure.

So how can I stop spoofing?
Please help

Thanks,
Abraham

-----Original Message-----
From: Rob MacGregor [mailto:rob.macgregor [at] gmail]
Sent: Thursday, January 01, 2009 4:42 AM
To: spf-help [at] v2
Subject: Re: [spf-help] Spoofing

On Thu, Jan 1, 2009 at 02:39, Abraham Sanni <sabraham [at] cananinc> wrote:
> Sorry I mean A: record.
> This is how it's configured: just for example
>
> Czdg.com MX 10 mail.czdg.com
>
> mail.czdg.com IN A 192.1.0.10
>
> mail.czdg.com is the hostname for my email server and the IP address of that server is 192.1.0.10 then I published the spf record as follow:
>
> v=spf1 ip4:192.1.0.10 -all

I'm assuming that you're making up IP addresses and domain names?

If so, then yes that record should be correct.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Jan 1, 2009, 12:23 PM

Post #16 of 19 (4934 views)
Permalink

Re: Spoofing [In reply to]

On Thu, Jan 1, 2009 at 20:07, Abraham Sanni <sabraham [at] cananinc> wrote:
> Yes, am making it up just show how is configure.
>
> So how can I stop spoofing?

1) Publish an SPF record, using "-all" (you have)

2) Check SPF yourself

3) Realise that there is no 100% solution - this is only part of the
picture. See also http://www.openspf.org/FAQ/Envelope_from_scope

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

sabraham at cananinc

Jan 1, 2009, 12:44 PM

Post #17 of 19 (4941 views)
Permalink

RE: Spoofing [In reply to]

How can I check spf record?
Does it require any configuration?

What does rDNS do?

Thanks,
Abraham

-----Original Message-----
From: Rob MacGregor [mailto:rob.macgregor [at] gmail]
Sent: Thursday, January 01, 2009 3:23 PM
To: spf-help [at] v2
Subject: Re: [spf-help] Spoofing

On Thu, Jan 1, 2009 at 20:07, Abraham Sanni <sabraham [at] cananinc> wrote:
> Yes, am making it up just show how is configure.
>
> So how can I stop spoofing?

1) Publish an SPF record, using "-all" (you have)

2) Check SPF yourself

3) Realise that there is no 100% solution - this is only part of the
picture. See also http://www.openspf.org/FAQ/Envelope_from_scope

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Jan 1, 2009, 2:47 PM

Post #18 of 19 (4937 views)
Permalink

Re: Spoofing [In reply to]

On Thu, Jan 1, 2009 at 20:44, Abraham Sanni <sabraham [at] cananinc> wrote:
> How can I check spf record?

As I've previously said:

http://www.openspf.org/Implementations

> Does it require any configuration?

When you've chosen a solution, read it's documentation to find out.

> What does rDNS do?

http://en.wikipedia.org/wiki/Reverse_DNS_lookup

Reverse DNS is for mapping IP addresses to hostnames.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

dmd at speakeasy

Jan 1, 2009, 3:51 PM

Post #19 of 19 (4955 views)
Permalink

RE: Spoofing [In reply to]

On Thu, 1 Jan 2009, Abraham Sanni wrote:

> How can I check spf record?
> Does it require any configuration?
>
> What does rDNS do?

Spoken like a true Exchange admin.

Here is what I think is going on, but remember I have no full mail header so
this is 100% guess. Or a bunch of guesses. In the order I thought of them, so
that might be the order to go try to find. Note, none are SPF related. SPF I
don't think is your issue from what you describe.

Your issue comes from accepting for local delivery on non existent local
addresses. Confirm that if "fred [at] mycompany" is not at your site, you aren't
accepting mail, but rather, are refusing delivery.

It might also be valuable to look at Exchange logs (if any) to see if people are
harvesting local addresses by probing the gateway. This would also be
identifyable if you give a separate server response to "nonexistent" as you do
to "existent" addresses to an external sender. If you do, and respond to the
sender telling them "such an so address does not exist at this location" then it
is possible the attackers have built over time a list of known people are your
site, and are sending to them. This really becomes a problem if you have an
external-facing expanded mail alias, so "employees [at] company" becomes 100000
people -- and then this is left external facing to be used. Or you have a lot
of employees forwarding mail from work to other accounts -- this also can then
result in mail being bounced as those forwards grow stale, and the
bounced-bounces start piling up. Or other edge case scenarios -- a large
attachment being refused someplace, but storing up multiple copies of a bounce
at your site, with a large BCC list, could be the reason you're seeing a bunch
of mail you can't account for.

All these things would be tested and eliminated by a person at your site called
an "email admin." They would have been done months before, before this problem
became so bad it could not be ignored. definitely before asking on a list
related to authenticating spam sending a question about how to prevent spam
receiving.

A full header is needed in all cases to fully diagnose, a full header of the
incident, as well as a server log might be helpful. If Exchange can provide.

Or, look into a product other than Exchange as your front-door gateway. Most of
the stuff you're seeing is Exchange configuration related, and your comment
about not knowing what rDNS does suggests strongly that you aren't really ready
to run a mail server on the internet. Outsourcing your local mail is also a
good option, to someone that has the ability to stop these problems without
spending your whole day on it.

The ability to point and click your way through an Exchange configuration is not
the same as having the ability to be a mail server admin. Perhaps you want to
hire someone that is, or perhaps you want to outsource. Or you can keep
learning yourself, hopefully your employer is patient.

Dave D

>
> Thanks,
> Abraham
>
> -----Original Message-----
> From: Rob MacGregor [mailto:rob.macgregor [at] gmail]
> Sent: Thursday, January 01, 2009 3:23 PM
> To: spf-help [at] v2
> Subject: Re: [spf-help] Spoofing
>
> On Thu, Jan 1, 2009 at 20:07, Abraham Sanni <sabraham [at] cananinc> wrote:
> > Yes, am making it up just show how is configure.
> >
> > So how can I stop spoofing?
>
> 1) Publish an SPF record, using "-all" (you have)
>
> 2) Check SPF yourself
>
> 3) Realise that there is no 100% solution - this is only part of the
> picture. See also http://www.openspf.org/FAQ/Envelope_from_scope
>
> --
> Please keep list traffic on the list.
>
> Rob MacGregor
> Whoever fights monsters should see to it that in the process he
> doesn't become a monster. Friedrich Nietzsche
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>

+-------------------------
+ Dave Dennis
+ Seattle, WA
+ Speakeasy, Inc.
+ dmd [at] speakeasy
+ http://www.speakeasy.net
+-------------------------

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads