Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Gmail, SPF, and Broken Email Forwarding?

timothy posted more than 6 years ago | from the rejected-mail-for-too-many-ellipses dept.

Communications 300

alek writes "I recently stopped getting Email from a friend ... which turns out to be related to his use of SPF records and my forwarding to gmail. This 'lost Email problem' may get worse with Google implementing Domain Keys." Alek is looking for a non-complicated solution to this non-trivial problem; read on below for more details."Background: Like many people, I have me@mydomain.com as my public facing Email address. When Email comes into my server, I forward it to me@gmail.com. But since my friend has published SPF (Sender Policy Framework) records that say only his server is allowed to send Emails for friend@frienddomain.com, gmail apparently rejects (silently buries actually!) the Email since it is forwarding through my server. Please note that this is exactly what SPF is designed to prevent — spammers from sending Emails with your address — but it breaks forwarding and has other problems.

What's *really* strange is that if I look at the raw sendmail logs on my server, the Email from friend@frienddomain.com comes in, and is forwarded to gmail ... with an "OK" as the response — i.e. the gmail MTA doesn't reject the message as it ideally should. However, the Email then disappears — it's not even in my gmail spam filter ... so there is no trace of it at all. If my friend sends directly to me@gmail.com, it shows up ... since his domain sends directly and the SPF test is passed. Note that on my gmail account, I associate me@mydomain.com with my me@gmail.com account ... so perhaps there should be a recipient test applied before SPF is tested on the sender ... although this arguably defeats the purpose of SPF.

The logical solution is to configure sendmail on my server to do Sender Rewriting — anyone have an easy FAQ to do this? But many people/domains aren't doing this ... and my Email forwarding to gmail is quite common, so I'm surprised that this issue hasn't gotten more attention. Is there another solution?"

cancel ×

300 comments

Sorry! There are no comments related to the filter you selected.

I knew .. (-1, Troll)

queldor (1184789) | more than 6 years ago | (#24140869)

there was a reason I did not want a gmail account

Re:I knew .. (0)

Anonymous Coward | more than 6 years ago | (#24140957)

right. so, there is potentially one problem. with a free service... and you knew there was a reason somewhere, sometime?
 
Well. Using that reasoning... I know you're an idiot. Because at some point in the future, you'll prove me right.

Re:I knew .. (0)

Anonymous Coward | more than 6 years ago | (#24140981)

Well. Using that reasoning... I know you're an idiot. Because at some point in the future, you'll prove me right.

I think he already proved that we was an idiot in the not-too-distant past.

Re:I knew .. (1)

dot45 (1135589) | more than 6 years ago | (#24141063)

I use my gmail account for catching all the junk mail you get for signing up for a mailing list.
I guess i need to have my email server just send me a message stating that i have new mail waiting.

Re:I knew .. (4, Insightful)

cayenne8 (626475) | more than 6 years ago | (#24141843)

"I use my gmail account for catching all the junk mail you get for signing up for a mailing list. I guess i need to have my email server just send me a message stating that i have new mail waiting."

At first I was wondering why they hell someone that had a working email server would shuttle it through Gmail, but then I read about using the spam filters, etc.

While that sounds good on the surface, is anyone out there not a little apprehensive about having all your email, particularly if you're a business, going through and being stored on their servers? I mean, someday Google will bend completely for govt. wanting to search all emails for 'terrorists' activities, and God knows who else will too.

I guess I'd want a bit more privacy on my emails, especially if they contained sensitive or proprietary information. I know...they're in plain text and could be intercepted if not encrypted, but, this is altogether different. It is stored on google's servers and there for easy data mining.

I'm getting ready to dig out my old email server post Katrina...can you not use procmail and spamassassin to filter spam as effectively as Gmail does?

Re:I knew .. (3, Insightful)

BizzyM (996195) | more than 6 years ago | (#24142179)

If you are worried that your "sensitive" email could be stored and eventually used against you:
1) stop using email altogether.
2) you need to get to a drug rehab center... cocaine is a hell of a drug

Re:I knew .. (1)

Zero__Kelvin (151819) | more than 6 years ago | (#24141669)

Really? What was it? gmail is doing exactly what it is supposed to do in this case, so what is your reason?

Sunblock (4, Funny)

MyLongNickName (822545) | more than 6 years ago | (#24140891)

I prefer SPF 60. It allows me to keep the pasty white, computer nerd complexion that drives the women wild.

Re:Sunblock (5, Funny)

Anonymous Coward | more than 6 years ago | (#24141855)

I prefer SPF 60. It allows me to keep the pasty white, computer nerd complexion that drives the women away.

There, fixed that for ya.

Re:Sunblock (0)

Anonymous Coward | more than 6 years ago | (#24141965)

I'm not funny.

Fixed.

Re:Sunblock (5, Funny)

Spy der Mann (805235) | more than 6 years ago | (#24142135)

I prefer SPF 60. It allows me to keep the pasty white, computer nerd complexion that drives the women away.

There, fixed that for ya.


. o <-- joke
.
. </sarcasm> tag
. o <-- you
./|\
./ \

Re:Sunblock (2, Funny)

dlaudel (1304717) | more than 6 years ago | (#24142187)

What's a "sun"?

Re:Sunblock (5, Funny)

Anonymous Coward | more than 6 years ago | (#24142297)

company that makes servers.

Please adhere to RFC (5, Informative)

DNS-and-BIND (461968) | more than 6 years ago | (#24140927)

Please stop using mydomain.com and other such nonsense. Example.com is reserved by RFC 2606 [ietf.org] for use as a...wait for it...example domain name. Please make a habit of using it instead of whatever name strikes your fancy, as it is probably in use by real people.

The Internet Assigned Numbers Authority (IANA) also currently has the following second level domain names reserved which can be used as examples.
  • example.com
  • example.net
  • example.org

Re:Please adhere to RFC (-1)

MyLongNickName (822545) | more than 6 years ago | (#24141003)

Errrrm. That isn't his real address he puts up there. He has an actual domain but doesn't want to put it on Slashdot.

Re:Please adhere to RFC (1)

gEvil (beta) (945888) | more than 6 years ago | (#24141095)

Errrrm. That isn't his real address he puts up there. He has an actual domain but doesn't want to put it on Slashdot.

Really? I'm glad you cleared that up for us....

Re:Please adhere to RFC (4, Informative)

MyLongNickName (822545) | more than 6 years ago | (#24141441)

Um, no. If you actually read RFC 2606, it is for TESTING. If this guy were really sending test emails to me@mydomain.com, then he would be in violation. Simply posting it on Slashdot as an example is not prohibited.

Re:Please adhere to RFC (2, Informative)

gEvil (beta) (945888) | more than 6 years ago | (#24141767)

Wow, you clearly didn't read very far. You only need to read the abstract to see that it's not just for testing:
"To reduce the likelihood of conflict and confusion, a few top level domain names are reserved for use in private testing, as examples in documentation, and the like. In addition, a few second level domain names reserved for use as examples are documented."

And no, it's not prohibited per se, but it is a good practice so as not to annoy those who own the domains the submitter used.

Re:Please adhere to RFC (0)

Anonymous Coward | more than 6 years ago | (#24141111)

Uhm, ajem.... whooosh?

Re:Please adhere to RFC (3, Funny)

Anonymous Coward | more than 6 years ago | (#24141177)

Did you score a 200 on your SAT? Did you even take the SAT? Since your reading comprehension skills are apparently on par with first graders and congressmen, allow me to clarify.

1) The story submitter used 'mydomain.com' as an example domain in his original post.

2) The OP of this thread said 'Don't do that', use 'example.com' instead of 'mydomain.com'.

3) You pointed out (1)

4) You are being rightfully flamed for being such an ignoramus.

Re:Please adhere to RFC (0)

Anonymous Coward | more than 6 years ago | (#24141187)

The ACTUAL POINT being is that mydomain.com could presumably be actually owned by someone - and hence posting it as an example might land someone with a bunch of spam.

Re:Please adhere to RFC (2, Insightful)

CopaceticOpus (965603) | more than 6 years ago | (#24141657)

Technically you're right. But I'm pretty sure that if some idiot chose "me@mydomain.com" as his personal email address, he's already used to getting mountains of spam.

Re:Please adhere to RFC (1, Funny)

Anonymous Coward | more than 6 years ago | (#24141261)

swoosh
~~~~~~~~~~~~~~~~point~~~~>

  0
=|=
  / \
you

Sorry, Swoosh belongs to Nike. (3, Funny)

johnny cashed (590023) | more than 6 years ago | (#24141981)

I think you're looking for whoosh.

Re:Sorry, Swoosh belongs to Nike. (5, Funny)

_ivy_ivy_ (1081273) | more than 6 years ago | (#24142127)

RFC 9835 specifically calls for a "whoosh." The use of "swoosh" has been depreciated.

Re:Sorry, Swoosh belongs to Nike. (5, Funny)

Sciros (986030) | more than 6 years ago | (#24142171)

deprecated

Re:Please adhere to RFC (-1, Redundant)

xtracto (837672) | more than 6 years ago | (#24141453)

I would point you how you totally missed the point, but so far, there are about 8 replies tryign to explain it to you...

Oh, what the heck.

swoosh
~~~~~~~~~~~~~~~~point~~~~>

      0
    =|=
    / \
you

Re:Please adhere to RFC (0)

MyLongNickName (822545) | more than 6 years ago | (#24141549)

Wow, you posted AC and then posted again. Cool.

Anyhow, RFC refers to using the example domain for testing purposes and documentation. Unless you consider a Slashdot post one or the other, it does not apply. Sorry.

Re:Please adhere to RFC (2, Funny)

xtracto (837672) | more than 6 years ago | (#24141635)

wow, you posted AC and then posted again. Cool.

Haha, incredible.

  MyLongNickName, I present you Select/Copy/Paste. You can do that with almost all the new Operating Systems :)

You are welcome.

Re:Please adhere to RFC (1)

bigstrat2003 (1058574) | more than 6 years ago | (#24141155)

Got any real reason that this matters, or should we all applaud you for reaching new levels of pedantry?

(Spam doesn't count, anyone with a domain so easy to pull out of a hat as to be used as an example domain gets bombarded with spam already.)

Re:Please adhere to RFC (1)

rho (6063) | more than 6 years ago | (#24142157)

Every now and then you'll see a How-To that has absurd example domains. "a.b.c" or "bob.jones.company". I seem to recall an LDAP How-To that had such junk in it.

It's hard to read and really is a pain in the ass. To me it's just like doing a search-and-replace of all capital "S"s to "$".

"example.com" is useful, and available. Use it.

Re:Please adhere to RFC (4, Interesting)

TheRealMindChild (743925) | more than 6 years ago | (#24141159)

Ironic you bring this up when thedailywtf.com posted this little bit [thedailywtf.com] today.

Re:Please adhere to RFC (1)

XanC (644172) | more than 6 years ago | (#24141377)

Doubly ironic that the article you point to makes the exact same mistake that it warns against: it uses a seemingly random string instead of example.com. Great story, though.

Re:Please adhere to RFC (1)

Altus (1034) | more than 6 years ago | (#24142235)

putting a fake domain name into an article is not the same thing as using it for testing an application.

for instance, if the person who wrote this slashdot story had used "example.com" for his domain, what would you suggest he use for his friends domain?

Re:Please adhere to RFC (1)

XanC (644172) | more than 6 years ago | (#24142327)

for instance, if the person who wrote this slashdot story had used "example.com" for his domain, what would you suggest he use for his friends domain?

example.net

Re:Please adhere to RFC (0)

Anonymous Coward | more than 6 years ago | (#24141525)

I do not believe, and would not care if, RFC regulations applied to the contents of blogs, forum posts, etc.

mydomain.com is perfectly suitable for someone who is discussing their own domain, than any generic "example."

Who made you hall monitor anyway?

Dude, if you are gonna adopt a Pet peeve, at least make it peeve worthy of adoption...

Re:Please adhere to RFC (0)

Anonymous Coward | more than 6 years ago | (#24141819)

If I can pull the stick out of your ass, do I become the heir to the British throne or something?

It's just an example in a text message (4, Insightful)

r39525 (11111) | more than 6 years ago | (#24141873)

For God's sake. It's just text! RFC 2606 doesn't specify what you're allowed to write in a text message.

If you're actually going to do some testing then it might matter. What matters here is can the reader understand the question. I can. Can you?

Is there another solution? (5, Informative)

jeffmeden (135043) | more than 6 years ago | (#24140967)

Yes, of course. Have all your email sent to Google in the first place! You don't have to switch everything over to the Google app tool, you can just set MX records for your domain pointing to them, and collect it all (or forward it inside or outside Google.) It's free (with a paid version available.) Check it out here http://www.google.com/a/help/intl/en/index.html [google.com]

Re:Is there another solution? (4, Informative)

dch24 (904899) | more than 6 years ago | (#24141075)

It really works! (ob. disclaimer: satisfied customer)

Our company forwards email to google (MX record in the DNS), where it runs through the spam filter and then a forwarding rule (an anything-but-spam rule) sends it on to our mailboxes.

For free... :-)

Re:Is there another solution? (0)

Anonymous Coward | more than 6 years ago | (#24142101)

<AOL>Me too!</AOL>

Seriously, having my domain's email hosted by google has been a great move--- no more flaky email forwarding service from the company who registers my domain name.

Re:Is there another solution? (0)

Anonymous Coward | more than 6 years ago | (#24141423)

use GMail for your domain t too, but my mail is frequently sorted as spam. I have SPF records properly set up (with the ~). At one point the gmail server was blacklisted at http://psbl.surriel.com/. Another time my email was sorted as spam by an associate's company email filter (Trend), then he clicked "not spam" and it got moved into the Outlook spam folder.

I like the Google thing a lot but I can never be sure if my email is going to be seen or not.

^---- what jeffmeden said. (3, Interesting)

klocwerk (48514) | more than 6 years ago | (#24141677)

Another satisfied google hosted apps customer chiming in. I have a reseller webhosting account that I keep about 10-15 domains on for myself/friends/family which does acceptable e-mail, but I advise everyone to just shove their e-mail over to gmail/a instead.

You get your own hosted mail/webmail service with (currently) 7gb of storage per/account, no preset account limit, POP and IMAP, as well as great spam-filtering.
All free.

And for $50/acct/year you can have 25gb/acct storage, API access to customize it for single-signon and/or gateways, a full Postini implementation, and 99.9% uptime guarantee.

Hate to sound like a shill, but it's a fantastic service and I don't mind pimping it.

Re:Is there another solution? (0)

Anonymous Coward | more than 6 years ago | (#24141739)

Gmail can check email via POP or IMAP. You don't even *need* to adjust DNS to use Gmail.

.. easier to just update your MXs (1)

uncledrax (112438) | more than 6 years ago | (#24142299)

True..

but if you have a web-presense where you don't want to deal with having another POP/IMAP server to maintain yourself, you can point your MX's to Gmail..

Frankly.. I use google web app tools and love em.

Re:Is there another solution? (1)

NightRain (144349) | more than 6 years ago | (#24142325)

The ability to use IMAP is the /reason/ many people forward their domain emails to their gmail account. If you don't adjust your DNS, then you have to mail forward, which puts you back at square one with the problem of disappearing emails...

Hey how about this... (0, Flamebait)

Anonymous Coward | more than 6 years ago | (#24140973)

In these days of a few dollars per month hosting, why don't you let some else host your email. You obviously have no idea what you are doing. Anyone can set up a mail server, but hey, leave it to the pros to fix your inane problems.

Simple answer: stop forwarding (4, Insightful)

mattbee (17533) | more than 6 years ago | (#24140991)

Effective spam filtering for forwarded email is pretty much impossible, as you lose vital information in the forwarding. Either get rid of your forwarding address, or have it hosted at Google as well. Probably the largest single reduction in spam I've ever made was the week that I got rid of years-old forwarding addresses. If the forwarding address is more important, just get it hosted at Google directly, or tell people to stop using it!

Re:Simple answer: stop forwarding (0, Redundant)

joeytmann (664434) | more than 6 years ago | (#24141607)

ding ding ding....we have a winner! tell them what they have won Vanna.

Re:Simple answer: stop forwarding (0)

Anonymous Coward | more than 6 years ago | (#24141875)

I disagree. I do a simple forward of my email address to google, and google's spam filter works great! I get probably 500 spam messages a day, and I usually only see a couple of them make it through the filter. And I haven't had a false positive in almost a year......

Forwarded messages will be fine (1)

addikt10 (461932) | more than 6 years ago | (#24141007)

If you are having problems with forwarded messages, then none of the emails from your server would make it in to gmail.
Forwarded messages will have all the headers and information to indicate they came from your server.
Bounced messages, where none of the headers are rewritten but it seems to come from your server, is the issue you are describing and it isn't one that I have an easy answer for.
The only solution that I can think of would use greasemonkey and special rules on your server to make it easy to reply, forward, etc from gmail.

silently dropping is not unexpected (5, Interesting)

Ungrounded Lightning (62228) | more than 6 years ago | (#24141025)

What's *really* strange is that if I look at the raw sendmail logs on my server, the Email from friend@frienddomain.com comes in, and is forwarded to gmail ... with an "OK" as the response -- i.e. the gmail MTA doesn't reject the message as it ideally should. However, the Email then disappears -- it's not even in my gmail spam filter ... so there is no trace of it at all.

While the RFCs specify that an MTA that is dropping should notify the sender in various ways, modern MTAs often violate these parts of the spec, pretending to accept and then dropping the mail and/or failing to send bounce notifications.

This is deliberate. Not sending bounce messages reduces the load on the servers and net (now that most mail traffic bounces). Pretending to accept mail which is actually dropped is a defense against guessing email addresses and probing filters to see what gets past them.

Re:silently dropping is not unexpected (3, Insightful)

X0563511 (793323) | more than 6 years ago | (#24141409)

It violates RFCs and causes problems like we are reading about now. It needs to stop.

Re:silently dropping is not unexpected (4, Informative)

liquidpele (663430) | more than 6 years ago | (#24141697)

People violate the RFC because spammers spoof the sender as the people they are spamming, so the bounce goes back to that person and they get the spam. The RFC does not account for this, so fuck it.

Re:silently dropping is not unexpected (1)

X0563511 (793323) | more than 6 years ago | (#24141987)

No, fuck the spammer. Either respect the RFC, or come up with a solution with at least as much attention as the RFCs were given.

Or, give up and come up with a proper solution from the start, and let traditional email rot.

Re:silently dropping is not unexpected (4, Insightful)

AVee (557523) | more than 6 years ago | (#24142233)

That would be true is google would actually first accept the email and then send a bounce message because it doesn't like it after all.
What they should do is reject the email immediately, in which case they don't have to send a bouce email but the mail is properly logged as being rejected. Ofcourse this does mean google will have to do all of their checks before accepting the message which is a bit harder to do but it is the only correct solution for the bounce problem.

Re:silently dropping is not unexpected (1)

oyenstikker (536040) | more than 6 years ago | (#24141703)

That means you Hotmail!

Re:silently dropping is not unexpected (2, Funny)

Klaus_1250 (987230) | more than 6 years ago | (#24141527)

Hotmail has been doing the same for years... And it is bad bad bad. There is a reason for those RFC's you know. I've had several complaints from people that I was loosing their mail. Checked the server logs and the mails were sent to Hotmail and it replied with a nice message received and accepted. Yet it dropped them afterwards even though it was 100% Ham. Fantastic. I get complaint about their mistakes, it takes me time and effort, and best of all, you can't contact them about it.

Easy answer (1, Informative)

mastropiero (258677) | more than 6 years ago | (#24141031)

You need to implement sender-rewriting scheme in your mail server. Google it.

Next issue?

Re:Easy answer (1, Informative)

Anonymous Coward | more than 6 years ago | (#24141179)

See link in summary.

http://david.woodhou.se/why-not-spf.html

Solution is for your friend to use something OTHER than SPF

Re:Easy answer (5, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#24141507)

That's outstandingly unhelpful. How about attaching a link to a decent SRS implementation [srs-socketmap.info] ? Or sending them to OpenSPF [openspf.org] ?

Randomly throwing down on people legitimately asking for some technical help is a big problem in the OSS community. Whether or not /. is the appropriate place to ask this question is debatable, but since it made the front page and there is no helpful SRS faq on this site, might as well direct them somewhere.

Pull instead of push? (5, Informative)

Robotech_Master (14247) | more than 6 years ago | (#24141039)

Doesn't GMail offer the ability to fetch your email from POP accounts now? It would probably not be the ideal solution, but perhaps you should stop forwarding and instead start POPping.

Re:Pull instead of push? (1)

SCHecklerX (229973) | more than 6 years ago | (#24141297)

and wtf would one want to enable pop on a server that is already doing IMAP just fine? Maybe google should implement IMAP checking, then I wouldn't have to forward (it's temporary until my own web server is back online, but it certainly is convenient).

Re:Pull instead of push? (1)

jon159785 (1311451) | more than 6 years ago | (#24141413)

Probably wants to use gmail's filtering for spam. The spam filtering on most low end hosting solutions leaves much to be desired.

Re:Pull instead of push? (4, Informative)

i kan reed (749298) | more than 6 years ago | (#24141317)

Or given the box of horrors that is POP, you could try IMAP, which google now also supports.

Re:Pull instead of push? (0)

Anonymous Coward | more than 6 years ago | (#24141389)

supports, and even implements their label scheme. i just moved my own domain to gmail and it's wonderful. imap makes it easy

Re:Pull instead of push? (3, Informative)

Loether (769074) | more than 6 years ago | (#24141557)

gmail does let you pull via pop3 BUT the scheduler is not configurable. Gmail checks pop randomly when it feels like it. For me it's about every 30 minutes to 1 hour. YMMV

Re:Pull instead of push? (1)

tgd (2822) | more than 6 years ago | (#24141573)

Or better yet don't do either, just have the e-mail go to gmail. Google Apps for Domains is free, and less clunky than forwarding.

Re:Pull instead of push? (1)

ady1 (873490) | more than 6 years ago | (#24141727)

I'm using that for an old account and trust me, that is extremely slow. As one poster already pointed out, you can just host the email on google instead of forwarding it which is not efficient in the first place.

Re:Pull instead of push? (1)

VGPowerlord (621254) | more than 6 years ago | (#24142277)

That means you have to implement an additional mail server program that does POP, as forwarding only requires SMTP.

Domain Keys doesn't have the same issue (4, Informative)

thadman08 (732965) | more than 6 years ago | (#24141087)

Domain Keys authenticates that the message was generated by a server with access to the DK private key. Forwarding the message does not affect the originator of the message, so the Domain Key authentication still checks out.

SPF and DKs solve similar issues, but in a much different manner.

Dump SPF (0)

Anonymous Coward | more than 6 years ago | (#24141089)

SPF is deliberately designed to prevent this type of forwarding.

Tell your friend to stop publishing SPF records, and ask Google to stop checking.

SPF won't do anything to stop spam anyway (despite what some of it's proponents say.) It needs to die a quick death.

Re:Dump SPF (1)

Rashkae (59673) | more than 6 years ago | (#24141461)

SPF stops phishing, and FROM forgery, not spamming, as the original poster already mentioned.

It's been a while since I read SPF specs, but there is a header you can add to the e-mail that identifies the sender domain of the forwarded e-mail, which will fix the SPF issue when you forward the mail from your server to gmail.. Unfortunately, a) I forget what the header is b) I have no clue how to configure sendmail so it inserts the header when it forward e-mails. I would be interested in these answers however.

Re:Dump SPF (1)

DamnStupidElf (649844) | more than 6 years ago | (#24142131)

Wouldn't the existence of such a header break SPF? Spam could just come "forwarded" from the spoofed sender.

Support SPF (4, Insightful)

ergo98 (9391) | more than 6 years ago | (#24141463)

SPF won't do anything to stop spam anyway (despite what some of it's proponents say.) It needs to die a quick death

I put SPF on my domain not because I think that it'll solve the world's spam problem, but because it helps reduce the (large) number of bogus returns that come back to my domain (the more recipients that have SPF checking on, and realize that some sender in China isn't a legitimate source for emails from my domain, eats and discards the message rather than bouncing back some wasteful return spam to me).

SPF is great. It isn't a total solution, and there are negatives, but it certainly is better than the anyone is anyone free for all.

Re:Dump SPF (1)

Phroggy (441) | more than 6 years ago | (#24141533)

SPF won't do anything to stop spam anyway (despite what some of it's proponents say.) It needs to die a quick death.

In case anyone doubts this, here's a brief list of domains that are owned by spammers that actually have SPF configured, as well as forward and reverse DNS for their dedicated IPs. Each of these domains also has a web site with an "unsubscribe" form on the front page. These are just a few of the domains that have tried to send me spam in the last couple of days.

amd-computer.com
bionona.com
bounce-spring.com
building-clam.com
building-pearl.com
cartoonchristmasornaments.com
catch-history.com
champion-clam.com
champion-starfish.com
chips-computer.com
classicshoesplus.com
eosubduo.com
fatherandsoncarpeting.com
finaglasses.com
finarunning.com
finasitting.com
gohan-saiyan.com
goku-saiyan.com
goten-saiyan.com
holiday-scallop.com
jekyllnews.com
jekyllreading.com
keeping-holiday.com
madalinesmarketplace.com
miasitting.com
miasliding.com
moniqueshiphopfashions.com
onedayshippingonyourdvdrental.compress-spring.com
rachelbuilding.com
rachelwalking.com
surfingisyourlife.com
talking-scallop.com
tieapple.com
vegeta-saiyan.com
walking-starfish.com

Re:Dump SPF (1)

bigstrat2003 (1058574) | more than 6 years ago | (#24141733)

gohan-saiyan.com
goku-saiyan.com
goten-saiyan.com
vegeta-saiyan.com

That isn't spam, that's a feature!

On a serious note, what the hell kind of spam are you getting from domains like that?

Re:Dump SPF (1)

Phroggy (441) | more than 6 years ago | (#24142281)

Nothing to do with the actual domain name used; they're obviously pretty random.

Actually I'm not sure what kind of spam they're sending, since I've been rejecting it. I set up a script to check the reverse DNS hostname of the connecting host, and if it matches a particular pattern, send an HTTP query to see if that host has a web site, and if so, whether the web site has an unsubscribe form on the front page. If all these conditions are met, the IP is cached in a database and the message is rejected; otherwise the IP is cached as being OK (the majority of servers connecting to me that match this hostname pattern are spammers, but there are a lot of legit servers too). But with the HTTP test on top of that, I've had no false positives.

Interestingly enough, I've been using this code on two different servers, and since I cleared the database a couple days ago, only one of them has seen this type of spam, and that server only hosts a single domain, while the other server hosts several domains.

Re:Dump SPF (1)

jonbryce (703250) | more than 6 years ago | (#24141935)

SPF isn't supposed to stop spam. It is supposed to stop backscatter from people spamming with your email address in the "from" field.

If the SPF doesn't match, that means the email has a faked "from" field, so the receiving server shouldn't bounce it back to you. In that respect, Google's approach of silently eating the mail is probably the "correct" approach. Perhaps it should put it in the spam folder though.

setup gmail to grab the email directly... (0)

Anonymous Coward | more than 6 years ago | (#24141229)

gmail > settings > accounts > get mail from other accounts...

downloads via pop3.

Don't forward (0)

Anonymous Coward | more than 6 years ago | (#24141257)

When Email comes into my server..

That's your problem right there. Don't have email sent to your server. Update your MX records so your email is sent directly to google. Then you can turn off sendmamil on your server.

Re:Don't forward (1)

Klaus_1250 (987230) | more than 6 years ago | (#24141323)

So you can't see if Google has silently deleted any other of your email? Doesn't make sense to me.

Easy -- sign up for Google Apps for your Domain (3, Informative)

ahecht (567934) | more than 6 years ago | (#24141333)

Sign up for Google Apps, and then you can have all mail sent to me@mydomain.com be handled by GMail. All you have to do is sign up at http://www.google.com/a/ [google.com] and link your domain. Then point your domain's MX records to aspmx.l.google.com.

In the future, all you have to do in order to get your mail is to go to http://mail.google.com/a/mydomain.com/ instead of http://www.gmail.com (and you can even set it up so that http://mail.mydomain.com CNAMES to your email login page)

Re:Easy -- sign up for Google Apps for your Domain (3, Funny)

The End Of Days (1243248) | more than 6 years ago | (#24141471)

OMG you didn't use example.com as your domain. You're risking the nerdwrath of that dude above.

Re:Easy -- sign up for Google Apps for your Domain (1, Informative)

Anonymous Coward | more than 6 years ago | (#24141915)

Unfortunately, http://mail.example.com goes to http, not https.

And of course, you get cert warnings if you try https://mail.example.com.

And yes, I know in either case the authentication part is secure, but the post-auth part is not.

you want https://mail.google.com/a/example.com

FAQ (5, Informative)

RzTen1 (1323533) | more than 6 years ago | (#24141355)

There's actually a fairly simple procmail fix right on the spf site: http://www.openspf.org/FAQ/Forwarding [openspf.org]

SPF is only the first half, choose to use SRS also (0)

spottedkangaroo (451692) | more than 6 years ago | (#24141401)

If you're forwarding mails from SPF tagged domains you should also be using SRS... it's kinda your own fault for forwarding without re-writing return path.

You seem to have answered the question already (4, Informative)

RevDigger (4288) | more than 6 years ago | (#24141431)

This is also known as, "The Problem With SPF." SPF breaks forwarding. This is well known. People who use SPF need to be aware of the ramifications.

The SPF people have created SRS, as you are aware, to work around this problem. It is a complicated and unappealing workaround. I certainly won't do it.

You have three options as I see it:

1) Stop forwarding. It's really a terrible idea. Install webmail on your mailserver. Check out RoundCube, for instance.
2) Wait for people to figure out that strict SPF policies break SMTP too badly for most users.
3) Implement SRS. (this would probably be easier if you were using a modern MTA)

I guess you were hoping for an easy fix, but there simply isn't one.

Re:You seem to have answered the question already (0)

Anonymous Coward | more than 6 years ago | (#24141647)

Umm... webmail itself is a terrible idea. Really. Gmail may suck a little less than most others, but that doesn't mean it doesn't suck.

I hadn't seen RoundCube before, but it appears to be Yet Another PHP/MySQL-based potential security hole. Yeah, just what I need -- another app to worry about.

Re:You seem to have answered the question already (1)

BobMcD (601576) | more than 6 years ago | (#24141709)

Or...

1) Stop forwarding...

...and use Gmail to fetch stored mail instead.

maybe a silly question but.. (0)

Anonymous Coward | more than 6 years ago | (#24142319)

FYI here's the link [openspf.org] to the SPF document on Forwarding.

Do I have my terminology wrong? I thought forwarding sent an email with the headers from the forwarders server? In their example isn't forwarding redirecting and remailing actually forwarding?

mod Mup (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24141631)

'doing something' is mired in an Was what got me It will be among 's0perior' machine. charnel house. The wall: *BSD faces a revel in our gay

boring (0)

Anonymous Coward | more than 6 years ago | (#24141699)

BORING!!!!!

SPF and mail forwarding DONT work togther, never have NEVER WILL

Get over it

proper forwarding (1)

ArbitraryConstant (763964) | more than 6 years ago | (#24141705)

Proper forwarding should rewrite the SMTP envelope sender (leaving the "From" header intact). There's just no other way to do it that doesn't break with SPF and other things these days.

Yes, that means the new sender address will have to be valid. Yes, that means it'll look like spam is coming from your domain if your forwarding service is easy to abuse. You might also want to preserve what's happened in headers for future reference and debugging uses, and rewrite the SMTP envelope sender to something that makes obvious which forwarding address caused the forwarded message to be sent.

E-mail is easy to get wrong. Don't try this at home.

Don't send TO gmail, have gmail get FROM (1)

Andraax (87926) | more than 6 years ago | (#24141781)

Instead of forwarding mail from your server to gmail, setup gmail to pick up mail from your server automatically. SPF shouldn't fire in that case. It's under Settings/Accounts/Get mail from other systems. If you have POP3 access to your current mailbox, it's trivial to setup.

Google will host your email for free (0)

Anonymous Coward | more than 6 years ago | (#24141921)

Use google apps free email hosting, they will host the email for your domain for free, you get a custom domain AND the gmail interface/features you love.

http://www.google.com/a/help/intl/en/index.html

There is an easy way to do e-mail forwarding... (2, Informative)

jafo (11982) | more than 6 years ago | (#24142031)

There's an easy way to do e-mail forwarding, which unfortunately is wrong. We no longer live in a world where you can just create a .forward file with the destination address in it (unless it's on the same server).

If you're going to run your own mail server, there are things you need to do if you want it to run correctly. One of them is that if you are forwarding to a mail server that does SPF, you need to do SRS. Though you probably also need to be doing all the spam rejection on your mail server as well, because otherwise you may be allowing mail through that you wouldn't otherwise.

For example, say that your server doesn't check SPF, and you do SRS. Now you're basically bypassing the destination server's SPF checking.

How to do SRS? I would personally probably just change my .forward file from the destination address into a small script that re-injects the message with a different envelope sender, but I'm sure there are already scripts that do this and much more fancy....

Ideally, you probably just want to move your mail for your domain directly to google, as another repondant says. Don't have it shunting your your own server if at all possible. If you have mail that you want handled directly on your server, either forward it from gmail to your home machine, or use a different domain ("address@homebox.example.com").

Sean

#irc.trollt0alk.com (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24142079)

need to 6oin the

Gmail Is Broken (1, Flamebait)

RAMMS+EIN (578166) | more than 6 years ago | (#24142085)

Gmail has been silently dropping emails for as long as I remember. It's broken, and that's yet another reason I don't use it.

Correct the Envelope Address (1)

rsd (194962) | more than 6 years ago | (#24142271)

I am not rereading the specification, so I might be wrong.

SPF probably checks the Envelope Address and not the From: address which are not the same.

The envelope address is the address that the SMTP client says to the server who is the sender,
the From: address is what is in the message header.

Simply altering the Envelope Address to a valid mail from your server and google wont complain anymore.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?