do you use SPF TXT RRs? (RFC4408)
Kevin Stange
kevin at steadfast.net
Mon Oct 4 22:55:28 UTC 2010
On 10/04/2010 11:47 AM, Greg Whynott wrote:
>
> A partner had a security audit done on their site. The report said they were at risk of a DoS due to the fact they didn't have a SPF record.
We publish a ~all record for our domain. I think it's bad practice to
publish any other result because you're making assertions which are
almost definitely untrue. +all implies that anywhere on the internet is
a valid origination, and -all implies you are certain nothing else could
ever send an email on behalf of your domain.
The most common situation where another host sends on your domain's
behalf is a forwarding MTA, such as NANOG's mailing list. A lot of MTAs
will only trust that the final MTA handling the message is a source
host. In the case of a mailing list, that's NANOG's server. All
previous headers are untrustworthy and could easily be forged. I'd bet
few, if any, people have NANOG's servers listed in their SPF, and
delivering a -all result in your SPF could easily cause blocked mail for
anyone that drops hard failing messages.
If you're going to filter using SPFs, I believe best practice is to
consider all mail from a +all or neutral record the same as mail that
soft or hard fails a ~all or -all record. By filtering, I mean I would
simply subject those messages to additional testing, but never block
exclusively based upon an SPF result. I would just ignore SPF and
that's what I do on MTAs I configure.
All you'll really be preventing with SPF is some backscatter and
messages which forge the source information for domains that have even
bothered to publish accurate records. A huge amount of the spam you get
will pass SPF (or return neutral) and possibly pass DKIM as well because
the big spam operations register new domains and set up SPF before they
start spamming.
--
Kevin Stange
Chief Technology Officer
Steadfast Networks
http://steadfast.net
Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20101004/cdb36cf8/attachment.sig>
More information about the NANOG
mailing list