Mailing List Archive: SPF: Help

Spammers spoofing source IP?

Index | Next | Previous | View Threaded

anoopjohn at gmail

Sep 25, 2009, 3:59 AM

Post #1 of 13 (1629 views)
Permalink

Spammers spoofing source IP?

Hi,

I have recently been getting large number of spam messages with FROM
and TO set as valid email addresses active on my domain - zyxware.com.
I have set up SPF on zyxware.com and this is my SPF raw record -
v=spf1 a mx ip4:67.220.209.203 -all

The mails are set to be forwarded to my gmail account and I have all
these emails added to my gmail account. The problem is that gmail
seems to be validating the mail as valid given the SPF records. Could
this be a case of spammers spoofing the source IP thereby tricking
SPF? The following are the headers from one such spam mail.

=====================================
Delivered-To: anoopjohn [at] gmail
Received: by 10.100.121.7 with SMTP id t7cs21487anc;
Thu, 24 Sep 2009 14:15:11 -0700 (PDT)
Received: by 10.151.28.10 with SMTP id f10mr792814ybj.71.1253826909841;
Thu, 24 Sep 2009 14:15:09 -0700 (PDT)
Return-Path: <careers [at] zyxware>
Received: from z1.zyxware.com ([67.220.209.203])
by mx.google.com with ESMTP id 3si8975642iwn.104.2009.09.24.14.15.08;
Thu, 24 Sep 2009 14:15:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of careers [at] zyxware
designates 67.220.209.203 as permitted sender)
client-ip=67.220.209.203;
DomainKey-Status: good
Authentication-Results: mx.google.com; spf=pass (google.com: domain of
careers [at] zyxware designates 67.220.209.203 as permitted sender)
smtp.mail=careers [at] zyxware; domainkeys=pass
header.From=careers [at] zyxware
Date: Thu, 24 Sep 2009 14:15:08 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=zyxware.com;
h=Received:From:To:MIME-Version:Subject:Message-ID:Content-Transfer-Encoding:Content-Type;
b=hd11FY6V6RRz5+P5T44V6v+YspVhw76EIsyzTSzQEkTK6lqefnumM2uUW5l4xAZ2BwfHEKtsMkI5irIMyzw3ZOAJrA7CR9Gve73UKblXwzhMq7sljpIMqHxx2mmmfFyt;
Received: from [190.247.48.25] (helo=25-48-247-190.fibertel.com.ar)
by z1.zyxware.com with esmtp (Exim 4.69)
(envelope-from <careers [at] zyxware>)
id 1Mqve9-0006Cl-OB
for careers [at] zyxware; Fri, 25 Sep 2009 01:14:38 +0400
From: "Mirella Martig" <careers [at] zyxware>
To: careers [at] zyxware
MIME-Version: 1.0
Subject: Soap Opera, real people
Message-ID: <OP8A9506VSQH147L.RZUURWOKPE.509C3E5BA [at] kaplu>
Content-Transfer-Encoding: 8bit
Content-Type: text/html; charset="UTF-8"
X-AntiAbuse: This header was added to track abuse, please include it
with any abuse report
X-AntiAbuse: Primary Hostname - z1.zyxware.com
X-AntiAbuse: Original Domain - zyxware.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - zyxware.com
=====================================

Thanks
Anoop

----------------------------------------------------------------------------------------
http://www.zyxware.com
http://www.anoopjohn.com
http://www.thondomraughts.com
----------------------------------------------------------------------------------------
"Be the change you wish to see in the world", M. K. Gandhi
----------------------------------------------------------------------------------------

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Sep 25, 2009, 4:15 AM

Post #2 of 13 (1567 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

On Fri, Sep 25, 2009 at 11:59, Anoop John <anoopjohn [at] gmail> wrote:
> Hi,
>
> I have recently been getting large number of spam messages with FROM
> and TO set as valid email addresses active on my domain - zyxware.com.
> I have set up SPF on zyxware.com and this is my SPF raw record -
> v=spf1 a mx ip4:67.220.209.203 -all
>
> The mails are set to be forwarded to my gmail account and I have all
> these emails added to my gmail account. The problem is that gmail
> seems to be validating the mail as valid given the SPF records. Could
> this be a case of spammers spoofing the source IP thereby tricking
> SPF? The following are the headers from one such spam mail.

No, that's not possible. I'd look instead to see if you have problems
on your server, vulnerable web scripts or your SMTP server acting as
an open relay.

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Sep 25, 2009, 4:22 AM

Post #3 of 13 (1565 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

if you SRS forward the email to gmail it will always pass SPF {as your supposed to check the spf before forwarding the email as all bets are off with spf after forwarding}

if you forward without SRS only email with a forged envelope-from going to gmail will pass gmails SPF, all non-forged email should and will fail

thats why when forwarding you either whitelist your servers ip with the destination mailsystem {and this is not an option with gmail}
or do SRS {so all forwarded mail passes SPF}
either way SPF checking on sender is supposed to happen {and can only work} on your server before forwarding.

At 11:59 25/09/2009 Friday, Anoop John wrote:
>Hi,
>
>I have recently been getting large number of spam messages with FROM
>and TO set as valid email addresses active on my domain - zyxware.com.
>I have set up SPF on zyxware.com and this is my SPF raw record -
>v=spf1 a mx ip4:67.220.209.203 -all
>
>The mails are set to be forwarded to my gmail account and I have all
>these emails added to my gmail account. The problem is that gmail
>seems to be validating the mail as valid given the SPF records. Could
>this be a case of spammers spoofing the source IP thereby tricking
>SPF? The following are the headers from one such spam mail.
>
>=====================================
>Delivered-To: anoopjohn [at] gmail
>Received: by 10.100.121.7 with SMTP id t7cs21487anc;
> Thu, 24 Sep 2009 14:15:11 -0700 (PDT)
>Received: by 10.151.28.10 with SMTP id f10mr792814ybj.71.1253826909841;
> Thu, 24 Sep 2009 14:15:09 -0700 (PDT)
>Return-Path: <careers [at] zyxware>
>Received: from z1.zyxware.com ([67.220.209.203])
> by mx.google.com with ESMTP id 3si8975642iwn.104.2009.09.24.14.15.08;
> Thu, 24 Sep 2009 14:15:08 -0700 (PDT)
>Received-SPF: pass (google.com: domain of careers [at] zyxware
>designates 67.220.209.203 as permitted sender)
>client-ip=67.220.209.203;
>DomainKey-Status: good
>Authentication-Results: mx.google.com; spf=pass (google.com: domain of
>careers [at] zyxware designates 67.220.209.203 as permitted sender)
>smtp.mail=careers [at] zyxware; domainkeys=pass
>header.From=careers [at] zyxware
>Date: Thu, 24 Sep 2009 14:15:08 -0700 (PDT)
>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=zyxware.com;
> h=Received:From:To:MIME-Version:Subject:Message-ID:Content-Transfer-Encoding:Content-Type;
> b=hd11FY6V6RRz5+P5T44V6v+YspVhw76EIsyzTSzQEkTK6lqefnumM2uUW5l4xAZ2BwfHEKtsMkI5irIMyzw3ZOAJrA7CR9Gve73UKblXwzhMq7sljpIMqHxx2mmmfFyt;
>Received: from [190.247.48.25] (helo=25-48-247-190.fibertel.com.ar)
> by z1.zyxware.com with esmtp (Exim 4.69)
> (envelope-from <careers [at] zyxware>)
> id 1Mqve9-0006Cl-OB
> for careers [at] zyxware; Fri, 25 Sep 2009 01:14:38 +0400
>From: "Mirella Martig" <careers [at] zyxware>
>To: careers [at] zyxware
>MIME-Version: 1.0
>Subject: Soap Opera, real people
>Message-ID: <OP8A9506VSQH147L.RZUURWOKPE.509C3E5BA [at] kaplu>
>Content-Transfer-Encoding: 8bit
>Content-Type: text/html; charset="UTF-8"
>X-AntiAbuse: This header was added to track abuse, please include it
>with any abuse report
>X-AntiAbuse: Primary Hostname - z1.zyxware.com
>X-AntiAbuse: Original Domain - zyxware.com
>X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
>X-AntiAbuse: Sender Address Domain - zyxware.com
>=====================================
>
>Thanks
>Anoop
>
>----------------------------------------------------------------------------------------
>http://www.zyxware.com
>http://www.anoopjohn.com
>http://www.thondomraughts.com
>----------------------------------------------------------------------------------------
>"Be the change you wish to see in the world", M. K. Gandhi
>----------------------------------------------------------------------------------------
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

anoopjohn at gmail

Sep 25, 2009, 4:25 AM

Post #4 of 13 (1571 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

Thanks for the reply Rob.

> No, that's not possible. I'd look instead to see if you have problems
> on your server, vulnerable web scripts or your SMTP server acting as
> an open relay.

I had asked the VPS management guys to look at it and they said that
it seems to be OK. Given your feedback, I will ask more
authoritatively this time :-)

BTW, Can a spammer fake it if they have a rogue mail server and
another rogue mail relay server so that the source IP faking happens
in the first transaction and then the second server only relays the
faked stuff? The email headers seem to have gone through three
different IPs before the mail reached the gmail server. Isn't it?
================================
Delivered-To: anoopjohn [at] gmail
Received: by 10.100.121.7 with SMTP id t7cs21487anc;
Thu, 24 Sep 2009 14:15:11 -0700 (PDT)
Received: by 10.151.28.10 with SMTP id f10mr792814ybj.71.1253826909841;
Thu, 24 Sep 2009 14:15:09 -0700 (PDT)
Return-Path: <careers [at] zyxware>
Received: from z1.zyxware.com ([67.220.209.203])
by mx.google.com with ESMTP id 3si8975642iwn.104.2009.09.24.14.15.08;
Thu, 24 Sep 2009 14:15:08 -0700 (PDT)
================================

Cheers
Anoop

----------------------------------------------------------------------------------------
http://www.zyxware.com
http://www.anoopjohn.com
http://www.thondomraughts.com
----------------------------------------------------------------------------------------
"Be the change you wish to see in the world", M. K. Gandhi
----------------------------------------------------------------------------------------

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

spf1 at beer

Sep 25, 2009, 4:27 AM

Post #5 of 13 (1577 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

> The mails are set to be forwarded to my gmail account

This is an important statement.

From the headers:

> Received: from z1.zyxware.com ([67.220.209.203])
> by mx.google.com with ESMTP id

So the reason that Google is accepting this as a SPF pass is that it is -
Google is accepting the mail from the IP address specifically permitted by
the SPF record.

> Could this be a case of spammers spoofing the source IP

No, that's not possible without the spoofed source machine being complicit
- a trick that was used for a while by some spammers with dirty feeds, but
now almost completely prevented by people using NAT routers.

Your problem is simply that the spam is accepted by *your* machine, then
forwarded to Google. Google is accepting the mail because it came from you
- just like you told it to.

You might like to check your own SPF filter, or look for some other
failing on your mailserver.

Vic.

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

rob.macgregor at gmail

Sep 25, 2009, 4:39 AM

Post #6 of 13 (1570 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

On Fri, Sep 25, 2009 at 12:25, Anoop John <anoopjohn [at] gmail> wrote:
> Thanks for the reply Rob.
>
>> No, that's not possible. I'd look instead to see if you have problems
>> on your server, vulnerable web scripts or your SMTP server acting as
>> an open relay.
>
> I had asked the VPS management guys to look at it and they said that
> it seems to be OK. Given your feedback, I will ask more
> authoritatively this time :-)

Check the mail logs on the VPS.

> BTW, Can a spammer fake it if they have a rogue mail server and
> another rogue mail relay server so that the source IP faking happens
> in the first transaction and then the second server only relays the
> faked stuff? The email headers seem to have gone through three
> different IPs before the mail reached the gmail server. Isn't it?
> ================================
> Delivered-To: anoopjohn [at] gmail
> Received: by 10.100.121.7 with SMTP id t7cs21487anc;
> Thu, 24 Sep 2009 14:15:11 -0700 (PDT)
> Received: by 10.151.28.10 with SMTP id f10mr792814ybj.71.1253826909841;
> Thu, 24 Sep 2009 14:15:09 -0700 (PDT)
> Return-Path: <careers [at] zyxware>
> Received: from z1.zyxware.com ([67.220.209.203])
> by mx.google.com with ESMTP id 3si8975642iwn.104.2009.09.24.14.15.08;
> Thu, 24 Sep 2009 14:15:08 -0700 (PDT)
> ================================

Read them bottom up - those 10. addresses are inside Google ;)

--
Please keep list traffic on the list.

Rob MacGregor
Whoever fights monsters should see to it that in the process he
doesn't become a monster. Friedrich Nietzsche

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

anoopjohn at gmail

Sep 25, 2009, 4:55 AM

Post #7 of 13 (1565 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

Thanks to whoever sent the test mail :-). I verified that in the eximlogs

2009-09-25 15:45:47 1Mr9Eq-0001MK-0U <= test [at] test
209.203] P=smtp S=233

I will report even more authoritatively at the VPS support.
Thanks to Vic, Alan and Rob. I will report back with status.

Cheers
Anoop

----------------------------------------------------------------------------------------
http://www.zyxware.com
http://www.anoopjohn.com
http://www.thondomraughts.com
----------------------------------------------------------------------------------------
"Be the change you wish to see in the world", M. K. Gandhi
----------------------------------------------------------------------------------------

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Sep 25, 2009, 5:09 AM

Post #8 of 13 (1574 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

please drop the spoofed ip {impossibility}

full answer is in my original reply

{forwarded email will always be from your ip}

#without srs
thus forwards of forged-from as you == pass
forwards of others > you == fail {if they use spf}

#with srs
thus forwards of forged-from as you == pass
forwards of others > you == pass

the point is the spf checking is supposed to happen when you receive the email before forwarding it
once you accept the email the server you forward it to can do nothing useful with spf

or another way to put it SPF is for first reciever ONLY
{why all other receivers must white-list the IP's of inbound forwarders and upstream MX's {and trust that they have the same policy of checking SPF before accepting}}

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

anoopjohn at gmail

Sep 25, 2009, 5:24 AM

Post #9 of 13 (1570 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

Thanks Alan for the detailed explanation. I have passed on the request
about setting SRS to forward emails and SPF to check the SPF of mails
coming in to the server.

Cheers
Anoop
----------------------------------------------------------------------------------------
http://www.zyxware.com
http://www.anoopjohn.com
http://www.thondomraughts.com
----------------------------------------------------------------------------------------
"Be the change you wish to see in the world", M. K. Gandhi
----------------------------------------------------------------------------------------

On Fri, Sep 25, 2009 at 5:39 PM, alan <spfdiscuss [at] alandoherty> wrote:
> please drop the spoofed ip {impossibility}
>
> full answer is in my original reply
>
> {forwarded email will always be from your ip}
>
> #without srs
> thus forwards of forged-from as you == pass
> forwards of others > you == fail {if they use spf}
>
> #with srs
> thus forwards of forged-from as you == pass
> forwards of others > you == pass
>
> the point is the spf checking is supposed to happen when you receive the email before forwarding it
> once you accept the email the server you forward it to can do nothing useful with spf
>
> or another way to put it SPF is for first reciever ONLY
> {why all other receivers must white-list the IP's of inbound forwarders and upstream MX's {and trust that they have the same policy of checking SPF before accepting}}
>
>
>
> -------------------------------------------
> Sender Policy Framework: http://www.openspf.org
> Modify Your Subscription: http://www.listbox.com/member/
> Archives: https://www.listbox.com/member/archive/1020/=now
> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
> Powered by Listbox: http://www.listbox.com
>

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

me at junc

Sep 25, 2009, 5:34 AM

Post #10 of 13 (1573 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

On fre 25 sep 2009 12:59:34 CEST, Anoop John wrote
> The mails are set to be forwarded to my gmail account and I have
> all these emails added to my gmail account.

and gmail says spf_pass since forged sender sends mail from your ip ? :)

> The problem is that gmail seems to be validating the mail as valid
> given the SPF records.

does your own mta use spf ?

> Could this be a case of spammers spoofing the source IP thereby
> tricking SPF?

show logs

stop the open spf hole you have created by not using spf on your own
mta, sender can pretend to be you from outside but is not you

do not use forwards, when srs is not implemented, or spf is not
checked on ones own mta

--
xpoint

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

spfdiscuss at alandoherty

Sep 25, 2009, 5:45 AM

Post #11 of 13 (1571 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

At 13:24 25/09/2009 Friday, Anoop John wrote:
>Thanks Alan for the detailed explanation. I have passed on the request
>about setting SRS to forward emails and SPF to check the SPF of mails
>coming in to the server.

just as a somewhat related aside forwarding any email to gmail is an unnecessary anyway
add the SPF checking to the receiving server and place the email in a pop3/imap mailbox
then have your gmail pickup the mail by pop3/imap thus bypassing the need for SRS+forwarding
additionally you can have gmail send replies via your server {assuming you have an smtp-auth account on your server}
thus your replies will conform to your own SPF policy and no need for SRS or forwarding {or the headaches of setting them up}

gmail to all intents and purposes can be used as a web-based mail client to any pop3/imap system

>Cheers
>Anoop
>----------------------------------------------------------------------------------------
>http://www.zyxware.com
>http://www.anoopjohn.com
>http://www.thondomraughts.com
>----------------------------------------------------------------------------------------
>"Be the change you wish to see in the world", M. K. Gandhi
>----------------------------------------------------------------------------------------
>
>
>
>On Fri, Sep 25, 2009 at 5:39 PM, alan <spfdiscuss [at] alandoherty> wrote:
>> please drop the spoofed ip {impossibility}
>>
>> full answer is in my original reply
>>
>> {forwarded email will always be from your ip}
>>
>> #without srs
>> thus forwards of forged-from as you == pass
>> forwards of others > you == fail {if they use spf}
>>
>> #with srs
>> thus forwards of forged-from as you == pass
>> forwards of others > you == pass
>>
>> the point is the spf checking is supposed to happen when you receive the email before forwarding it
>> once you accept the email the server you forward it to can do nothing useful with spf
>>
>> or another way to put it SPF is for first reciever ONLY
>> {why all other receivers must white-list the IP's of inbound forwarders and upstream MX's {and trust that they have the same policy of checking SPF before accepting}}
>>
>>
>>
>> -------------------------------------------
>> Sender Policy Framework: http://www.openspf.org
>> Modify Your Subscription: http://www.listbox.com/member/
>> Archives: https://www.listbox.com/member/archive/1020/=now
>> RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>> Powered by Listbox: http://www.listbox.com
>>
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

anoopjohn at gmail

Sep 25, 2009, 2:39 PM

Post #12 of 13 (1565 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

Thanks to everybody once again for the replies and the directions. The
VPS management team has come back to me with the changes recommended.
They have 'set up SPF based filtering on all inbound mails' and they
have also set up SRS to allow for forwarding.

I have thought about the suggestion that Alan had pointed, about using
POP mail on the server and using Gmail as the mail client. The problem
I have is that I don't have too much server space on the VPS and with
all these forwards and stuff that people send across, I will always
have to be on the lookout for mails eating up the server space.

All is well that ends well. Thanks once again

Cheers
Anoop

----------------------------------------------------------------------------------------
http://www.zyxware.com
http://www.anoopjohn.com
http://www.thondomraughts.com
----------------------------------------------------------------------------------------
"Be the change you wish to see in the world", M. K. Gandhi
----------------------------------------------------------------------------------------

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

alan at alandoherty

Sep 26, 2009, 6:28 AM

Post #13 of 13 (1561 views)
Permalink

Re: Spammers spoofing source IP? [In reply to]

At 22:39 25/09/2009 Friday, Anoop John wrote:
>Thanks to everybody once again for the replies and the directions. The
>VPS management team has come back to me with the changes recommended.
>They have 'set up SPF based filtering on all inbound mails' and they
>have also set up SRS to allow for forwarding.
>
>I have thought about the suggestion that Alan had pointed, about using
>POP mail on the server and using Gmail as the mail client. The problem
>I have is that I don't have too much server space on the VPS and with
>all these forwards and stuff that people send across, I will always
>have to be on the lookout for mails eating up the server space.

you do realize with pop3 gmail downloads/deletes your email every 30 mins
so not a lot of possibility to use server space
{this is also 24/7 not just when your logged in}
its why here we recommend people wanting webmail go with gmail+pop3+smtps, rather than forwarding to hotmail or yahoo, as with this option no email goes inexplicably missing during the last leg of smtp transport
and even the dumbest user can't get us blacklisted by dumbly spamfoldering spam that came via the forwarding {ie spam that directly came from us in hotmail/gmail/yahoo's analasis}

as forwarding is essentially only used when no better alternative is available
SRS forwarding only when dealing with a receiver incapable of whitelisting forwarders and checking SPF

as google does provide a better alternative to forwarding the whole SRS seems moot

{as your providers reputation for that IP will also drop every time a forward has spammy content I'd consider adding spamassasin and several RBL's into their incoming filter mix}

but as we digress from SPF I'd say its a topic for private email

>All is well that ends well. Thanks once again
>
>Cheers
>Anoop
>
>----------------------------------------------------------------------------------------
>http://www.zyxware.com
>http://www.anoopjohn.com
>http://www.thondomraughts.com
>----------------------------------------------------------------------------------------
>"Be the change you wish to see in the world", M. K. Gandhi
>----------------------------------------------------------------------------------------
>
>
>-------------------------------------------
>Sender Policy Framework: http://www.openspf.org
>Modify Your Subscription: http://www.listbox.com/member/
>Archives: https://www.listbox.com/member/archive/1020/=now
>RSS Feed: https://www.listbox.com/member/archive/rss/1020/
>Powered by Listbox: http://www.listbox.com

-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/1020/=now
RSS Feed: https://www.listbox.com/member/archive/rss/1020/
Powered by Listbox: http://www.listbox.com

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads