Subject: Re: INEXPENSIVE way to get reverse DNS records
To: Steven M. Bellovin <firstname.lastname@example.org>
From: Chuck Swiger <email@example.com>
Date: 11/14/2006 12:22:02
On Nov 14, 2006, at 4:58 AM, Steven M. Bellovin wrote:
> The most important reason not to use SPF or DKIM, though, is that as
> anti-spam mechanisms they simply don't work. Spammers create many new
> domains, use them for a day or so, then abandon them. In fact, they
> populate their zones with SPF records. What, precisely, are they
> good for?
SPF was never intended to prevent spam from domains which are owned
by spammers; the fact that spammers publish SPF records does not mean
that the SPF records for domains like aol.com and msn.com, or
citibank.com, etc are without value.
> Let me put it another way -- how much of the spam you receive would
> have been blocked because it impersonated some zone you know,
> rather than
> coming from some domain you've never heard of?
This is an excellent question, and more to the point of whether SPF
Over the past month, one domain of mine has sent and received
approximately 10K legit messages; has gotten 5600 spams and 174
viruses which made it through the initial anti-spam checks and
greylisting; and has rejected 92K messages (mainly via greylisting).
Of the 5600 spam messages, there were 295 with a Received-SPF:
header, and a histogram breakdown of those is:
250 Received-SPF: none
11 Received-SPF: softfail
11 Received-SPF: neutral
10 Received-SPF: fail
2 Received-SPF: unknown
...with about 10 pass entries, mostly coming from verizon.net which
is listed as a valid sender for the domain in question.
There were also about 1800 forged emails claiming to be from the
mailserver itself or from a host in this domain which were
permanently rejected by initial HELO checks before they could be
considered from the standpoint of SPF validity. If I didn't have
these HELO checks, then these would have been caught by SPF-checking
1800 is about one-third of the total spams which made it through.
Whether you use SPF to block mail which claims to be from your
domain, or whether you use some other form of HELO checking which
detects machines which claim to be your mailserver's hostname or IP
address, clearly, detecting forged mail which claims to be from your
own domain should be a high priority, because that does constitute a
significant proportion of the spam out there...