netbsd-users: Re: INEXPENSIVE way to get reverse DNS records

Subject: Re: INEXPENSIVE way to get reverse DNS records
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Chuck Swiger <cswiger@mac.com>
List: netbsd-users
Date: 11/14/2006 12:22:02

On Nov 14, 2006, at 4:58 AM, Steven M. Bellovin wrote:
> The most important reason not to use SPF or DKIM, though, is that as
> anti-spam mechanisms they simply don't work.  Spammers create many new
> domains, use them for a day or so, then abandon them.  In fact, they
> populate their zones with SPF records.  What, precisely, are they  
> good for?

SPF was never intended to prevent spam from domains which are owned  
by spammers; the fact that spammers publish SPF records does not mean  
that the SPF records for domains like aol.com and msn.com, or  
citibank.com, etc are without value.

> Let me put it another way -- how much of the spam you receive would
> have been blocked because it impersonated some zone you know,  
> rather than
> coming from some domain you've never heard of?

This is an excellent question, and more to the point of whether SPF  
is useful.

Over the past month, one domain of mine has sent and received  
approximately 10K legit messages; has gotten 5600 spams and 174  
viruses which made it through the initial anti-spam checks and  
greylisting; and has rejected 92K messages (mainly via greylisting).   
Of the 5600 spam messages, there were 295 with a Received-SPF:  
header, and a histogram breakdown of those is:

250 Received-SPF: none
11  Received-SPF: softfail
11  Received-SPF: neutral
10  Received-SPF: fail
2   Received-SPF: unknown

...with about 10 pass entries, mostly coming from verizon.net which  
is listed as a valid sender for the domain in question.

There were also about 1800 forged emails claiming to be from the  
mailserver itself or from a host in this domain which were  
permanently rejected by initial HELO checks before they could be  
considered from the standpoint of SPF validity.  If I didn't have  
these HELO checks, then these would have been caught by SPF-checking  
instead.

1800 is about one-third of the total spams which made it through.   
Whether you use SPF to block mail which claims to be from your  
domain, or whether you use some other form of HELO checking which  
detects machines which claim to be your mailserver's hostname or IP  
address, clearly, detecting forged mail which claims to be from your  
own domain should be a high priority, because that does constitute a  
significant proportion of the spam out there...

-- 
-Chuck