Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

AOL Now Publishing SPF Records

CowboyNeal posted more than 10 years ago | from the slowly-gaining-ground dept.

Spam 340

SPF Fan writes "It looks like SPF is starting to catch on with the bigger ISPs. AOL is now publishing SPF records which you can verify with 'dig aol.com txt'. Will Hotmail and Yahoo be far behind? Who else is publishing SPF records for their domains? Slashdot has covered SPF in the past a couple times."

cancel ×

340 comments

Sorry! There are no comments related to the filter you selected.

boo (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7926232)

SPF isn't gonna achieve anything

Re:boo (1)

skaag (206358) | more than 10 years ago | (#7926251)

They said the same thing about SPEWS... but heck, it works ;-)

I'm working on another thing called DoNotPost.com, and that doesn't look like it has too good a chance, because while it mimics the Do Not Call registry, it doesn't have the same kind of enforcement (US Laws).

Skaag

Re:boo (5, Informative)

Anonymous Coward | more than 10 years ago | (#7926269)

In case any windows user is interested, but cant use dig:

$ dig aol.com txt

; <<>> DiG 9.2.2 <<>> aol.com txt
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49576
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;aol.com. IN TXT

;; ANSWER SECTION:
aol.com. 300 IN TXT "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24 ip4:205.188.156.0/24 ip4:205.188.157.0/24 ip4:205.188.159.0/24 ip4:64.12.136.0/24 ip4:64.12.137.0/24 ip4:64.12.138.0/24 ptr:mx.aol.com -all"

;; AUTHORITY SECTION:
aol.com. 3071 IN NS dns-02.ns.aol.com.
aol.com. 3071 IN NS dns-06.ns.aol.com.
aol.com. 3071 IN NS dns-07.ns.aol.com.
aol.com. 3071 IN NS dns-01.ns.aol.com.

;; ADDITIONAL SECTION:
dns-02.ns.aol.com. 3273 IN A 205.188.157.232
dns-06.ns.aol.com. 1887 IN A 149.174.211.8
dns-07.ns.aol.com. 431 IN A 64.12.51.132
dns-01.ns.aol.com. 192 IN A 152.163.159.232

;; Query time: 110 msec
;; WHEN: Fri Jan 9 09:06:32 2004
;; MSG SIZE rcvd: 405

NewsFlash (1, Informative)

Anonymous Coward | more than 10 years ago | (#7926332)

We have dig for Windows too, no need for the holier-than-thou attitude.

Re:NewsFlash (0, Troll)

WhodoVoodoo (319477) | more than 10 years ago | (#7926464)

Please note how he said "In case any windows users are interested but can't use dig" instead of "For all you windows using LUSER$ who don't get to use the super-secret-ultra-high-tech dig! LO!!L!L!Lzzzz"

Sam Spade (1)

rfmobile (531603) | more than 10 years ago | (#7926379)

My personal favorite ...
Sam Spade [samspade.org]
-rick

re:boo (-1, Troll)

Linus Torvald (739359) | more than 10 years ago | (#7926280)

This is a great idea. I'm all in favor of it. I would update my companies DNS to this new standard immediately. But, I envision these issues, correct me if I'm wrong:

1) Increased network traffic at all points - where one mail server gets the email, and the network of the domain being sent from or forged. Imagine how this might increase AOL's or hotmail's network traffic, while they gain nothing from it. Every mail server in the world could be trying to contact their dns servers to check if they allow the mail. I hope you like lag if you use AOL.

2) Spammers tend to use made up domains anyways. This is bad with this method for several reasons. The first being that you will have delayed email receiving times because your mail server will be trying to contact dns servers that don't exist. The timeout would have to be short for this to work.... then on the other hand, if the timeout is too short, and a busy mail server can't respond in time, the email is rejected, which is just as bad as a real email getting flagged as spam, aka a false positive.

While I agree in practice with this technology, I'd like to see how people can solve these issues before I would use it at my company.

Re:boo (5, Interesting)

Saven Marek (739395) | more than 10 years ago | (#7926321)

> 2) Spammers tend to use made up domains anyways.

This is true, but combined with domain checking AND SPF I can see it being more powerful than both.

for ex.
spammer makes up umergeh.drewhs.com
email gets canned because the domain is fake. lose for spammers

spammer sends faked address from aol.com
SPF shows its a fake sender (rteal IP not match aol.com spf list). lose for spammers

spammer at aol sends real spam from aol.com
aol come down and bite spammers head off, spammer goes to jail. lose for spammers!

SPF is only one tool, and there are many combine them together and you have strength

mac desktops, dare to be nude [scrounger.ath.cx]

Re:boo (3, Informative)

krymsin01 (700838) | more than 10 years ago | (#7926382)

Nice trolling [slashdot.org]

Re:boo (1)

Killean (25381) | more than 10 years ago | (#7926430)

And maybe I'm missing something too...

So you can spoof domain names, you can spoof sender IP's. What's to stop someone from just looking up a valid SPF domain and IP and spoofing both at the same time?

Re:boo (3, Informative)

afidel (530433) | more than 10 years ago | (#7926459)

As to your first point DNS is great because lookups are generally fast and they are cached. I don't think even every host on the internet looking up the TXT records for aol.com every couple of hours at the most frequent is going to tax the kinds of bandwidth and DNS servers AOL employs. Besides the amount of email traffic that they will be able to dump before the session even begins will outweigh the DNS lookups probably a million to one in bandwidth.

As to the second point that is already easily dealt with by most intelligent MTA's, heck my ISP's email servers already flag any message which has a different sending IP and host identifier, and they have informed us that they plan to dump the connection on this condition "real soon now". SPF just makes this easier since it can be used to eliminate false positives from semi-clued admins.

Re:boo (2, Interesting)

chrisbolt (11273) | more than 10 years ago | (#7926498)

1) Increased network traffic at all points - where one mail server gets the email, and the network of the domain being sent from or forged. Imagine how this might increase AOL's or hotmail's network traffic, while they gain nothing from it.

They don't have to deal with the bounces caused by the forged spam. They don't have to deal with people emailing their abuse department thinking AOL is spamming them, when AOL isn't. And DNS servers cache the DNS entries, reducing the amount of bandwidth consumed.

2) Spammers tend to use made up domains anyways. This is bad with this method for several reasons. The first being that you will have delayed email receiving times because your mail server will be trying to contact dns servers that don't exist. The timeout would have to be short for this to work.... then on the other hand, if the timeout is too short, and a busy mail server can't respond in time, the email is rejected, which is just as bad as a real email getting flagged as spam, aka a false positive.

If the domain doesn't exist, the root servers will return nxdomain quickly. I don't even understand the rest of what you're saying. A mail server wouldn't respond to DNS requests, and if the DNS server "can't respond in time" it would be deferred, not bounced. And if the DNS server can't respond due to overloading, that domain probably has other issues that are more important (like the fact that it can't receive mail because no mail servers can look up its MX records).

Wear sunscreen! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7926233)

Good, now my skin won't burn as much!

My question is (2, Funny)

use_compress (627082) | more than 10 years ago | (#7926235)

How does AOL know my SPF [dermstore.com] and why do they want other people to have access to it? Are they that concered at the prospect of me getting a sunburn?

test (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7926236)

test

Suggestion for submitter (4, Insightful)

ObviousGuy (578567) | more than 10 years ago | (#7926237)

Don't assume we all know what "SPF" is. Unless you mean "Sun Protection Factor", you are leaving the /. readers to wonder.

Please, if discussing a topic that is not widely known, put a short description or definition in the article writeup.

Thanks.

Don't be silly (5, Funny)

KalvinB (205500) | more than 10 years ago | (#7926270)

Nerds don't go out into the sun.

Ben

Re:Don't be silly (2, Funny)

CBravo (35450) | more than 10 years ago | (#7926452)

no, they go to Suns. Gives a Sun-burn a whole new meaning.

Re:Don't be silly (0, Redundant)

krymsin01 (700838) | more than 10 years ago | (#7926460)

The day star....... I've heard of that.

Re:Suggestion for submitter (4, Insightful)

use_compress (627082) | more than 10 years ago | (#7926271)

you are leaving the /. readers to wonder.

He did provide a highly visbile link to the definition of SPF. That page gave a very good overview of the topic. Why cater to (define NOT_FLAMEBATE)lazy people who don't read the articles?

Re:Suggestion for submitter (0)

Anonymous Coward | more than 10 years ago | (#7926279)

The page doesn't explain SPF very well. Maybe it does if you already know what it is and how it works, but if you are new to it, it is very cryptic.

Re:Suggestion for submitter (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7926343)

Because people will not know wtf 'SPF' is. As a result they will not be interested, and will not read the article. If you explain 'SPF' in your post, they may be interested enough to read more.

You're a fucking moron(TM)

Re:Suggestion for submitter (0)

Anonymous Coward | more than 10 years ago | (#7926484)

It's on slashdot at four in the morning.
If the article read: "Things do stuff for some reason" people would read it.

But I guess it's more fun to pick and bitch (Like I'm doing!) than to click a link, read about it, or search google for it.

Dick.

Re:Suggestion for submitter (-1, Redundant)

skaag (206358) | more than 10 years ago | (#7926288)

You are trolling... haven't you noticed the acronym "SPF" is a link?!

Re:Suggestion for submitter (5, Funny)

Malc (1751) | more than 10 years ago | (#7926306)

You're new here, aren't you? You must have hijacked that 206K account. /. lesson #1: don't read the story /. lesson #2: be paranoid about links... they might go to goatse.cx. It doesn't happen very often anymore, but be paranoid anyway /. lesson #3: post comments that make it blatant you didn't read the story

Thank you.

Re:Suggestion for submitter (0)

Anonymous Coward | more than 10 years ago | (#7926431)

He inherited the account from the previous intern who went on to paid employment.

Re:Suggestion for submitter (0)

Anonymous Coward | more than 10 years ago | (#7926328)

No kidding. I'm in the technical field and have been for more than two decades. Wtf is "SPF"?

Sender Permited From. (0)

Anonymous Coward | more than 10 years ago | (#7926423)

Microsoft Originating Grammer
Pollocks Screwing Lightbulbs Discovered

Re:Suggestion for submitter (0)

Anonymous Coward | more than 10 years ago | (#7926449)

No kidding. I'm in the technical field and have been for more than two decades. Wtf is "SPF"?

You've been in the technical field for 20 years and you haven't figured out how to click on a hyperlink? What technical field are you in exactly? Are you a "telephone cleaning engineer" by any chance?

Re:Suggestion for submitter (0)

Anonymous Coward | more than 10 years ago | (#7926438)

Don't assume we all know what "SPF" is

In the article, SPF [pobox.com] was a hyperlink. That means you could click on it and see an explanation. Are you too stupid to do that?

And your braindead post got modded up. Jesus Christ.

Re:Suggestion for submitter (2, Informative)

adrianbaugh (696007) | more than 10 years ago | (#7926463)

I think that's why "SPF" was a link to a site explaining all about it; you could try CTFL. Of course, nobody here ever reads the stories before posting much less clicks the links.

Tag it (4, Insightful)

Epeeist (2682) | more than 10 years ago | (#7926497)

How about using the proper tag,

<acronym title="Sender Permitted From">SPF</acronym>

Or if you want to include it in a link

<a title="Sender Permitted From" href="link">SPF</a>

How does this reduce spam in any shape or form? (-1, Troll)

Linus Torvald (739359) | more than 10 years ago | (#7926240)

Okay, I am not trolling here, I'm serious. This plan will be moderately successful at preventing joe-jobs [catb.org] on unwitting victims. If you control the DNS for a domain, you can say who is allowed to send mail for that domain. Therefore, if a spammer attempts uses your domain in the "From:" header then it will only be delivered to those hosts that are NOT checking the SPF records. That's an important distinction, because getting everybody on the planet to do something is very hard, so this will never completely wipe out the possibility of joe-jobs. And there are the possible negative effects here, for example employees not being able to send company email while on the road without hassle.

But that aside, how does it reduce spam? The spammers will always be able to find a domain to stick in the "From:" header. They can choose to use a domain that they do not control that has not yet added SPF to their DNS or they can choose to use a domain that they control. In either case it's trivial for them to get their mail from their system to yours, and that's all that they really care about anyway -- the "From:" header has always been meaningless to spammers anyway, it's not like they would be forfeiting the ability to receive replies or something.

Note that in the case of using a domain that they don't control, we're back to the issue of "until everyone on the planet does this, there will always be some domain somewhere that can be forged." And even should those run out, spammers can just register anything for $7 a year, or less for bulk registrations. (They already do this when they're playing hosting tricks, to bounce you around from one host to another.)

Now, you might say that at least with this implemented you could discover what those domains are that the spammer is registering for use with his spamming. That is true. But, we've had the concept of a blocklist for ages, that's nothing new. Everyone has ranges of IP addresses that they won't accept mail from, and some very kind organizations have even maintained lists of "bad IP addresses", so you might expect a similar thing to happen with domain names. But all you have to do is look at the current state of blocklists and you'll know this doesn't buy you much. We already have blocklists, and they're riddled with problems. You're back to playing whack-a-mole with the spammers. They make a spam run with example.com, you block example.com; they make another run with example.org, you block example.org. You're always one step behind, while the spam piles up in your inbox. You might make the point that this inconveniences them, but you have to realize how many domains there are out there that are available for forging. The SPF-protected domains will be the vast minority of all domains for the forseeable future.

So, in summary: This might be moderately effective at preventing joe-jobs. It will not make a significant change, however, until everyone on the face of the earth that's not a spammer both updates their DNS and updates their MTA software to check these records. The likelyhood of this happening any time soon is quite small. And even if this were to happen, the spammers would still be able to deliver piles and piles of garbage to your inbox though domains that they control. You're back to blocklisting, which we've had for quite some time now.

So, I ask seriously, what does this do to combat spam that is really all that significant? I applaud any developments on the antispam frontier, but let's not get too carried away with visions of this somehow "plugging the insecure SMTP hole", or anything remotely resembling it.
But Aquaman, you cannot marry a woman without gills, you're from two different worlds...

Re:How does this reduce spam in any shape or form? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7926289)

Karma whoring, beware. Look the info ; 4 posts, all very long, flqsely documented, polished point of views, well presented = Mods trap. This guy used to have such a good sig ; he erased it, but for the doubtful of you, I still have a screenshot :_) Death to the karma whores.

Re:How does this reduce spam in any shape or form? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7926293)

I'm doubtful. Let's see this "screenshot", troll.

Re:How does this reduce spam in any shape or form? (0)

Anonymous Coward | more than 10 years ago | (#7926368)

Working right now, you will have your proof later.
For now on, I will ask you to read a bit.
Enjoy the follow-ups. [slashdot.org]
And please stop confusing real users and fucking lamers that take the name of people they will at last try to put Yoda Grease doll in.

Observe the missing link (1)

ingenuus (628810) | more than 10 years ago | (#7926429)

This plan will be moderately successful at preventing joe-jobs [catb.org] on unwitting victims.
See the site name "[catb.org]"? This looks awfully similar to the text added by slashdot when hypertext links are used... not to mention the fake sig at the bottom. So, at first glance, it appears that the poster simply copied another post, though I haven't bothered to do a search.

Though, honestly, I don't really care if "Linus Torvald (739359)" is karma whoring: If the post is pertinent and people have not seen it before and they honestly find it interesting enough to mod-up, whatever. If he's merely a troll, then hopefully people will learn from this experience.

Re:Observe the missing link (2, Insightful)

jdifool (678774) | more than 10 years ago | (#7926462)

Hi,

of course you are right, but mods must understand too that a post must not be modded up because it seems clever, or because it repeats something clever someone already said before.

I can cite my Oreilly's books all day if I want to. Beyond the awkward morality of such guys (you can criticize /., but the best thing is to do it correctly), this brings nothing.

Repeating what you can learn by making your head work for 10 secs, it's ok. I'm not here for that.

Regards,
jdif

Re:Observe the missing link (0)

Anonymous Coward | more than 10 years ago | (#7926517)

Quit your kvetching. This guy has at least posted something interested that has inspired some debate. The real question is, what do *you* bring to the table?

Re:How does this reduce spam in any shape or form? (2, Informative)

Anonymous Coward | more than 10 years ago | (#7926292)

It will reduce spam because of two reasons.

1) since it effectively kills sender forgeries, it's a LOT easier to maintain white/blacklists
2) a domain needs to be purchased, and the registration takes time; this increases the cost of spam and hopefully might also make spammers more traceable (credit card transactions for registration)

I am totally convinced this will make the spam problem manageable. I'll probably add my own SPF this weekend.

Re:How does this reduce spam in any shape or form? (4, Interesting)

JanneM (7445) | more than 10 years ago | (#7926311)

Spammers can just use their own domain

Yes, they can. And all I need to do is to let the domain be one feature to do adaptive filtering on. Two mails on penile enlargement, and no non-spam email from one domain, and that domain will be a pretty clear signal to throw stuff away. Time for the spammer to get a new domain.

Many will not implement this!

Well, whether everybody implements it or not, it does give me another factor to filter on. If the mail comes from a domain that does not implement it, that's grounds enough for a big, fat -5 spamassassin rule right there.

Oh, and as more and more people implement this, those who do not can be more and more severely punished by spam filters (as the exceptions for any one person becomes few enough to whitelist and so on).

But if you blacklist any domain without it, some people won't be able to send stuff to you anymore!

Cry me a river.

Re:How does this reduce spam in any shape or form? (1, Interesting)

krymsin01 (700838) | more than 10 years ago | (#7926372)

The spam is still coming down your pipeline, wasting your bandwidth. If you are checking these lists, you add waste more bandwidth (not a lot, if you cache the spf records). You will waste more cycles trying to kill the incoming spam. If your servers are prone to dying when faced with a lot of spam, this won't solve anything as far as I can tell.

Re:How does this reduce spam in any shape or form? (1)

JanneM (7445) | more than 10 years ago | (#7926416)

Bandwidth is not my problem. Not choking inboxes and mail clients with unwanted "herbal viagra" come-ons is. This will help solve that.

And, as others already mentioned, there will be a pretty powerful dicincentive to try to send any spam through enabled servers. If I at some point simply do not allow connections from unenabled servers (and yes, caching this info is not a bad idea - adding a IP filter rule upon a hit from a non-enabled SMTP server is even better), then bandwidth will be saved as well.

Re:How does this reduce spam in any shape or form? (1)

Admiral Lazzurs (96382) | more than 10 years ago | (#7926420)

If your mail servers are going down because of the ammount of mail you recieve, spam or otherwise then you need to upgrade your mail servers, simple as that.

Take care - RL

Re:How does this reduce spam in any shape or form? (1, Informative)

Anonymous Coward | more than 10 years ago | (#7926516)

Nonsense, the message body doesn't come down the pipe as the checking would be done before the data part ever starts.

Re:How does this reduce spam in any shape or form? (0)

Anonymous Coward | more than 10 years ago | (#7926427)

An email with -5 in spamassassin will likely never be tagged as spam or discarded.

Re:How does this reduce spam in any shape or form? (5, Interesting)

skaag (206358) | more than 10 years ago | (#7926314)

My own experience:

I happen to be hosting a few domain names that attract a lot of joe jobs, if this method helps me reduce the amount of joe jobs by 5%, it was worth it. The amount is simply HUGE.

The Deterring factor:

If the Spammers are smart enough to check my domain for SPF records before doing a joe job on it, they might not select it for their joe job, simply because they will know their campaign might not be as effective as it would be if they used another domain that does not publish SPF records. So the deterring factor is important here!

Conclusion:

Every effort counts. And let's not forget that sometimes, all it takes for an idea to catch on is some large corporation using the technology or technique, and it will catch like wildfire. I'm also publishing SPF records for my own domains, and checking for them as well (with the help of qpsmtpd [nsa.co.il] which has a nice SPF plugin).

Re:How does this reduce spam in any shape or form? (0, Troll)

usama88 (739069) | more than 10 years ago | (#7926330)

You seem to complaining that this might not work because everyone on the planet would need to use it and even then spammers could use their own domains.

Certainly it's true that nearly everyone will need to get on board for this to work. Fortunately, it should be an easy update on both the MTA and DNS ends.

The real advantage here, I think, is that it will make filtering and blacklisting much easier. Instead of trying to filter on 18 zillion weird rules and scads of IP addresses, some of which may have some valid users, you just need to filter on domain names.

For this to work, we will need one or more trustworthy registries of bad domain names. And it should probably be distributed, with a way to continually update it by automatically propagating the list of bad domains to all clients. There should be a way to get a domain into the blacklist very quickly if anyone receives spam from that domain.

Alternatively, a system could be in place to treat all new domains as bad by default. That has obvious problems though -- how would you get your domain trusted? Would it require a VeriSign like identification process? I would oppose that -- I think people should be able to buy domains and freely run email servers on them without paying some central "authority."

My biggest concern with this idea is that I run a domain where I give out POP email addresses to people. I'm still trying to figure out how that will affect me.

Re:How does this reduce spam in any shape or form? (1)

Saven Marek (739395) | more than 10 years ago | (#7926349)

It may not reduce spam, but it may very well reduce the possibility or severity of joe-jobbing for my own domain. That's enough reason for owners of domains to put an SPF line in.

It may not be very long until so many domains have it that it is useful for MTA applications to take notice of them so there's incentive to do it I think

mac desktops, dare to be nude [scrounger.ath.cx]

Identity theft? (1)

Malcolm Chan (15673) | more than 10 years ago | (#7926387)

But does this perhaps also help prevent identity theft? For instance, if your ISP does not publish SPF records, spammers may use/happen to generate your email address, causing the world to think that you're sending out millions of spam emails.

Of course, this relies on the reciepents' ISPs checking SPF records too, but assuming this becomes more common (though by no means everywhere), this would already reduce the severity of the problem.

Re:How does this reduce spam in any shape or form? (2, Interesting)

Alioth (221270) | more than 10 years ago | (#7926391)

AOL (and Hotmail, and other large ISPs) are frequently joe-jobbed - it's therefore worth it for them. If I can tell SpamAssassin to score anything above the threshold that purports to come from AOL, but not from their SPF IP allocation, it helps. Better still, now I can tell for certain that @aol.com mail really DID come from AOL, I can assign a negative score to AOL addresses since I know it's likely to be ham.

Re:How does this reduce spam in any shape or form? (5, Informative)

krymsin01 (700838) | more than 10 years ago | (#7926398)

You are doing a reall good job at copy and pasting past comments [slashdot.org] for karma whoring.

I bet your parents are proud!

Re:How does this reduce spam in any shape or form? (1)

jdifool (678774) | more than 10 years ago | (#7926475)

What a shame ; he even gets a better score, and thus a better visibility, than the original poster.

Ticking the 'do not want to moderate box' right now. It's of no use with so many ignorant people.

Thanks for your vigilance.

jdif

Re:How does this reduce spam in any shape or form? (0)

Anonymous Coward | more than 10 years ago | (#7926509)

what is really sad is that he'd still be getting mod points probably if they didn't cap at 5. and the fact that if you check the guy's posting history you'll see that this is all he does, and racking up karma.

Re:How does this reduce spam in any shape or form? (0)

Anonymous Coward | more than 10 years ago | (#7926400)

I call cut-and-paste karma whore. The "preventing joe-jobs [catb.org]" is a giveaway - there's no link.

Re:How does this reduce spam in any shape or form? (0)

Anonymous Coward | more than 10 years ago | (#7926406)

Heh, three people saying it's a cut and paste at exactly the same time...

Re:How does this reduce spam in any shape or form? (1)

Dave2 Wickham (600202) | more than 10 years ago | (#7926401)

This appears to be a straight copy/paste from this comment [slashdot.org] in one of the linked articles...

Re:How does this reduce spam in any shape or form? (1)

afidel (530433) | more than 10 years ago | (#7926402)

for example employees not being able to send company email while on the road without hassle

Boo hoo a mail admin will have to take the hour or two it takes to properly implement SASL and you will have to roll out a change to the corporate email client that defaults it to talking SASL. Besides most remote users use VPN these days anyways. Also if all the big guys implement it and implement serious negative scoring for those not using it then it will quickly be adopted by those with a clue, those without a clue I do not care to recieve email from =)

Re:How does this reduce spam in any shape or form? (2, Insightful)

Ubi_NL (313657) | more than 10 years ago | (#7926512)

1) Email worms
2) Zombie virus-infected mail relay clients
etc

AOL (4, Funny)

joostje (126457) | more than 10 years ago | (#7926241)

Who else is publishing SPF records for their domains?

[AOL]
Me Too!
[/AOL]

Please (-1)

Anonymous Coward | more than 10 years ago | (#7926446)

Add me to your DNS!!

I publish SPF records (3, Informative)

karl.auerbach (157250) | more than 10 years ago | (#7926242)

I've been publishing SPF records for the cavebear.com domain for about two months now.

I've only done the publishing side, I have not yet enabled my mail servers to use them.

Even though SPF may not be a complete or perfect solution, I see no harm in announcing to the world that if it purports to come from my domain than it also comes from my designated mail servers.

Re:I publish SPF records (1)

pipingguy (566974) | more than 10 years ago | (#7926473)

Even though SPF may not be a complete or perfect solution, I see no harm in announcing to the world that if it purports to come from my domain than it also comes from my designated mail servers.

I think most average users don't really care how it is done, it has become a "just do it" issue.

For websites that need to be able to accept mail from previously unknown senders, a challenge/response shouldn't be a big impediment to the senders as long as they know why it is being done.

Maybe I'm way out in left field here, but *something* has to be done before email becomes totally useless.

omg... (2, Informative)

neodymium (411811) | more than 10 years ago | (#7926250)

...thats 9 class c networks only for sending spa^H^H^Hmail

Now that I know what SPF Is (0)

use_compress (627082) | more than 10 years ago | (#7926253)

I think it's fantastic that major ISPs are taking proactive steps to curb junk email from their users. SPF seems like a great system because it introduces accountablity though simple server software, not some crazy, e-comerce based postage-stamp solution.

interesting blog. djbdns? (1, Redundant)

illumen (718958) | more than 10 years ago | (#7926255)

Some interesting info in their blog [pobox.com]
I wonder if djbdns can use SPF records.

Have fun!
holepit [holepit.com]

Re:interesting blog. djbdns? (1)

Dionysus (12737) | more than 10 years ago | (#7926357)

I wonder if djbdns can use SPF records.

From what I can see of SPF, it's just a matter of setting up the TXT record in DNS.
rbldns [cr.yp.to] does it in djbdns.

Re:interesting blog. djbdns? (3, Informative)

chrisbolt (11273) | more than 10 years ago | (#7926428)

djbdns doesn't 'use' SPF records, but tinydns (part of djbdns) can serve them, just as any other DNS server can serve TXT records. Read this [cr.yp.to] for info on how to add TXT records with tinydns.

Now, whether or not qmail can use SPF records, that's another question entirely.

Re:interesting blog. djbdns? (1)

lptp (455011) | more than 10 years ago | (#7926502)

In fact, as far as I can tell, you can add any record type to djbdns, since it allows entering a binary "type" in its data.
Therefore, even though a type is not "known" to djbdns, you can still publish / use it.

Catching on (2, Interesting)

Tom (822) | more than 10 years ago | (#7926258)

I only learned about SPF recently, but ever since I've been publishing SPF records for my domain.

It appears to be one of these "why didn't I think of that?" solutions that go and take care of a problem without ripping out everything around it.

This is a good idea (-1, Troll)

usama88 (739069) | more than 10 years ago | (#7926259)

I've always thought that ISPs should add a default "smtp" zone for their customers that resolves to their mail server. That way, you can set your progarm up to use "smtp" and no matter where you are, it will resolve properly.

Now, as far as blocking port 25, I've always thought that was a great idea as well, until last week. Our office has used BellZinc's DSL for connectivity. A few months ago, our smtp suddenly stopped working, and after calling tech support, they told me they had accidentally left port 25 on one of their racks unblocked (and I happened to be on that rack) so they had fixed the situation. (Actually, I had to call twice to find that out, the first guy had no clue whatsoever).

So I switched the smtp server in the office to resolve to Bell's, and all was good. But we've had a few interruptions, espessially over the last couple weeks, where we couldn't send mail at all. After talking to tech, it turns out their mail server is being hammered by whatever virus-of-the-week was hitting windows, and was unusable. I was blown away by their lack of willing to help me: they wouldn't unblock port 25 for me (even to one specific IP), and they has no answers to "Well, what am I supposted to tell everyone in the office? No email for ... an unknown amount of time?"

Of course, I could have just set up my server to accept mail on another port, but that would have been a pain for me - local change on every client, instead of one SMTP fix. Anyways, as of Monday, we have a new ISP. (I won't get into how Bell tried to tell us we had a 1-year contract and wanted to charge us 4 extra months for breaking. They couldn't send us any proof, but apparently it was a "verbal" contract. Wow.)

Anyways, I'm a little mixed on blocking port 25. I don't know what a better solution would be. Perhaps not allowing a computer running Windows to directly connect to the internet. Or maybe monitoring the email sent, and setting either a limit on the number per day, or just watching for patterns of mass mailings.

Re:This is a good idea (1)

pe1chl (90186) | more than 10 years ago | (#7926300)

I've always thought that ISPs should add a default "smtp" zone for their customers that resolves to their mail server. That way, you can set your progarm up to use "smtp" and no matter where you are, it will resolve properly.

Actually, when you set the default search domain to the ISP you are dialling in to and fix the SMTP server to "smtp", this usually works.
Setting the search domain is easy when you get your address using DHCP, and could be done in an ip-up script in other situations.

Get a business line (1)

KalvinB (205500) | more than 10 years ago | (#7926399)

If you pay for a business line, ports don't get blocked. I have my server colocated at one ISP which means no port blocking and a home connection that blocks outgoing port 25. So, I have RinetD running on my coloed server that redirects an alternate port to port 25 so that I can send e-mails from home without going through my home ISP.

Blocking port 25 on dynamic IPs is perfectly reasonable. If you're running a legitimate mail server you can easily get to it without making your ISP that blocks port 25 liable for spam should you be so inclined to send it.

However, if you're paying for a static IP then it's no longer reasonable to block ports.

This SPF solution sounds reasonable. Although it's going to create a market for "rogue" servers that value privacy and allow their domain to be forged.

I think it's more for ISPs than casual mail server runners. It's been years since anyone took the sending domain seriously. For domains that choose not to threaten the ability to be anonymous on e-mail it should be part of the RFC that if a domain elects not to use SPF, a simple footer is added, by the client that cares about SPF, to e-mails sent with the domain as the sender that the e-mail may or may not really be from that server.

I'll add SPF if I can set certain IPs to "definitly validated by the server" and all others to "could have been validated by the server." The definites must then go through while the client can choose to let "maybe's" slide.

I don't like the idea of tracable e-mail. The big idea of the internet is that you can say what you want anonymously if you so choose. Killing privacy in the name of blocking ads is pretty silly.

Ben

Re:Get a business line (1)

Malc (1751) | more than 10 years ago | (#7926499)

Bellzinc [bellzinc.ca] is business line and service you twit.

PORST FIST! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7926261)

doctor! this is worker speaking!

[no shoes doctor]

Make/break it (1, Informative)

fearlezz (594718) | more than 10 years ago | (#7926267)

That's good news!

Anyone can develop standards, but still it's the ISPs that can make it or break it. Big ISPs can push some standard, and force the whole internet to use SPF or be cut off.

Some of us have reasons for spoofing our address (-1, Troll)

usama88 (739069) | more than 10 years ago | (#7926272)

For instance, the box on which I get all my mail, to which all my mailing list subscriptions go, and which is associated with my online identity everywhere I have one...is located halfway across the continent from me. It's neither my home Linux box, nor my local ISP. I keep it that way because I never know if I might need to change ISPs for some reasons, and that box is always up and always there. I use fetchmail to pull down my email.

But as a matter of course, I have mutt configured on my desktop box to send in the name of my halfway-across-the-country account, even though it sends through my ISP's SMTP server. (It used to send through my home Linux box's own SMTP server, but then a lot of addresses started bouncing it because it was on a list of cablemodem IPs.) How would I be able to continue doing this under such a system?

Re:Some of us have reasons for spoofing our addres (4, Informative)

pe1chl (90186) | more than 10 years ago | (#7926283)

I would advise you to read before you write.
SPF was invented especially to cater for your situation. The quick way out would have been to use MX records as the only validation, but this was not done.

Re:Some of us have reasons for spoofing our addres (1, Informative)

MosesJones (55544) | more than 10 years ago | (#7926304)


You wouldn't. But that is part of the problem as legitimate uses can't be differentiated from SPAM when taking this approach.

Its one of those great "lose liberty in the name of enforcement" style things.

Or of course you could just set up SMTP on that remote server of yours.

Not true (1)

mattbee (17533) | more than 10 years ago | (#7926411)

He could publish his local ISP's mail server's IP address in his domain's SPF record. This is not a problem at all.

Re:Some of us have reasons for spoofing our addres (1)

vidarh (309115) | more than 10 years ago | (#7926373)

So you add the IP or IP range of your home Linux box to the SPF record for the domain you use for the colocated box you have. Problem solved.

Re:Some of us have reasons for spoofing our addres (2, Insightful)

chrisbolt (11273) | more than 10 years ago | (#7926442)

What you should be doing is sending mail through the halfway-across-the-country smtp server, using SMTP AUTH.

aut0tr0ll is teh sp0kE!? (-1)

CHECKTHEGOATS (735227) | more than 10 years ago | (#7926281)

Hello master.

sid=92139
formkey=Q80laL8Oei

This is a joint venture that will be mutually advantageous to both parties involved.

Now that's 1% supporting it (1)

Saven Marek (739395) | more than 10 years ago | (#7926295)

How many more ISPs/mailservers will set this up? Only once it gets to a large level will it be useful, and even then what of when complete domains are forged?

OK I'm instantly cynical with any new technology. I can see SPF working well once it's widespread, but it's not a cure-all, just one step in the right direction.

Now to get all the mailers that accept mail to listen to what an SPF has to say.

Are there any reasons a mail application would purposely NOT want to read an SPF, that could undermine the process?

mac desktops, dare to be nude [scrounger.ath.cx]

Helps ISP brand not SPAMs. (1)

openmtl (586918) | more than 10 years ago | (#7926337)

This is to help stop crafted return addresses and as the site says - stops brand dilution - if you are an ISP.

Now I wonder if my ISP will now remove the SMTP port 25 block on my ADSL line so that my dynDNS can work without having to use the DynDNS port redirection ?

How about dynamic IPs? (4, Insightful)

ivern76 (665227) | more than 10 years ago | (#7926345)

This just screws the people on dynamic IPs even more than we were before. I guess I'll have to keep paying a monthly fee just so I can have a smarthost to tunnel my mail through, since even more mail servers are going to think I'm a spammer now.

Re:How about dynamic IPs? (2, Informative)

mattbee (17533) | more than 10 years ago | (#7926418)

If you're on a dynamic IP you'll find a lot of your email gets bounced by Yahoo/AOL (at least) already for being on a dial-up blacklist. You simply can't send mail reliably from a dynamic IP these days, but I won't miss the spam.

In the UK we have plenty of choice for broadband ISPs who offer fixed IPs at no extra cost (which is why I'm moving away from BT Openworld who charge an extra 10 a month for the privilege)

Re:How about dynamic IPs? (1)

adrianbaugh (696007) | more than 10 years ago | (#7926485)

Care to clarify which broadband ISPs do this?

Why this is a big deal (5, Informative)

mattbee (17533) | more than 10 years ago | (#7926370)

It means that any system administrator can configure their mail transfer agent to bin any spam pretending to come from aol.com with a 100% success rate. And this goes for anyone else publishing an SPF record for your domain.

SPF [pobox.com] is a proposed standard for a domain owner to tell mailers where mail From: that domain may originate. The domain owner publishes a DNS TXT record for their domain with (at the simplest) list of IP addresses. Participating mail transfer agents can then look this record up and make a policy decision on whether the mail is likely to be legitimate. The presence of an SPF record on a domain at present means that while you still can't be sure when you're handling spam, you can be sure when you have a piece of non-spam because the SPF record tells you so.

SPF is not a wholly original idea (e.g. up "designated mailer protocol"), and certainly not the simplest implementation but the important factor is that its proponent, Meng Wong, is an excellent lobbyer and spokesperson, as well as someone who as the nous to put forward a useful protocol (he founded pobox.com). It's currently at the point where lots of implementation are being written, with the canonical version being Meng's Perl modules. Currently I'm helping to finish the C implementation which will shortly be integrated into qmail [cr.yp.to] and exim [exim.org] .

The tipping point (I hope) will be when a domain not publishing an SPF record or publishing a globaly permissive one will be considered "obviously" untrustworthy. Combining SPF authorisation with a more traditional "From: domain blacklist" will give spammers a very very hard time indeed forging mail. But AOL publishing a record (we hope) shows the way the wind is blowing: the rest of the world does seem to have to change their mail server configuration to keep mail flowing to AOL.

So go on, it's dead easy, publish a record for your domain now. Tell people where your mail comes from. Look, there's even a wizard to help you [pobox.com] .

anti-spoofing (4, Interesting)

colinleroy (592025) | more than 10 years ago | (#7926380)

As I don't think this will stop spam (at least not before massive adoption, as others said), I think it can protect us from having a spammer using our email address as From:.
I publish SPF records for my small domain now, and next time some dumb ISP complains getting spam "from me", I'll be able to tell them to go and check my SPF records, and to match these with "my" spam's headers.

Of course, this is for my little domain with few users, all well-educated enough to use authenticated SMTPS to my server.

Would someone explain this to a simpleton? (1)

SharpFang (651121) | more than 10 years ago | (#7926383)

I read the page but it's too early in the morning for me. Would someone please explain the idea behind SPF _understandably_?

Some of the benefits. (4, Interesting)

mcroot (634911) | more than 10 years ago | (#7926389)

Some people seem to be missing the point of spf. SPF is a mechanism that allows people to publish their own records to defend themselves against joe-jobbing. Anyone who has been joe-jobbed will be all over something like this. The fact that publishing these records benefits you directly, will help something like this spread in a timely manner.

It's also beneficial in the regard that when rolled out to where it becomes standard, mail will be far more accountable, and as spammers start joe-jobbing those people who have not yet published these records, it will only help motivate those hold-outs to get on the bandwagon and defend themselves.

This does reduce spam (5, Informative)

dybdahl (80720) | more than 10 years ago | (#7926393)

It reduces spam because spamfilters like spamassassin etc. can add extra points to those e-mails that did not verify against SPF records.

If Red Hat adds SPF verification to their default spamassassin configuration files, a lot of companies will start to add SPF records to their DNS.

If I send an e-mail to a RoadRunner mailbox, it is rejected. Why? Because my mailserver is a Linux box on my ADSL internet connection, and RoadRunner blocks all e-mails from residential IP ranges. With SPF, such filtering can be made much more careful, making it possible for me to send e-mails to RoadRunner customers again.

Theres plenty of existing (0, Interesting)

3lb4rt0 (736495) | more than 10 years ago | (#7926407)

anti-spam measures available it's just that they're not used as support is not usually included/enabled in SMTP servers.

Including anti-spam features (not just anti-relaying) within the smtp server seems more appropriate rather than tacking records into dns entries.

DNS seems imho to be being overloaded with various add ons atm. If we're not carefull DNS will become the new bottleneck on the internet.

Spamassassin will support it in 2.70 (3, Informative)

KjetilK (186133) | more than 10 years ago | (#7926432)

Hm, I must have been living under a rock, because it is the first time I hear about it. However, it sounds like a good idea, I have to contact my upstream ISP to have them add a record for me.


Anyway, it seems SpamAssassin will be adding support for SPF in 2.70, at least according to bug 2143 [spamassassin.org] . That's cool!

SPF is a really bad idea (2, Interesting)

^BR (37824) | more than 10 years ago | (#7926436)

Are you used to sending personnal email (one that have another domain than your employers in the From: address) from work using your company SMTP server as a relay? You know, the only one you have access to with many reasonable security policies...

Can't do that anymore, your message will be flagged as spam by the recipient server if he checks for SPF records.

Have AOL warned its customers of this little side effect of it implementing SPF?

Plus SPF technically wise sucks, it should have been a new record type using TXT records is an ugly kludge...

Re:SPF is a really bad idea (3, Insightful)

colinleroy (592025) | more than 10 years ago | (#7926487)

SPF implementation guidelines specify that admins specifying their SPF records should also enable SMTPS authentication. With this you'll be able to send your personal mail from everywhere using your domain's SMTP server.
See step 2 on the "How do I implement SPF" [pobox.com] page.

AOL Goes Retro (1)

Umgawa71 (739459) | more than 10 years ago | (#7926472)

America Online's apparently carving themselves a real niche in the music business, going to records as a means of publishing, rather than MP3, WMA, et cetera. I wonder if they're going to be putting some of the records out on the white vinyl, because it's totally collectible.

I, for one, can't wait to buy an LP-ROM for my computer so I can listem to them.

Dynamic IP addresses (2, Informative)

njdj (458173) | more than 10 years ago | (#7926476)

This is not going to work for domains that have dynamic IP addresses. Yet another reason we need to migrate to IPv6 and eliminate the need for dynamic IP addresses.

Bad for mail redirection (0)

Anonymous Coward | more than 10 years ago | (#7926489)

This will hurt people who use mail redirection services like Bigfoot.

I have switched providers but kept the same email address in the From: field.

On the other foot, direct spam and bounces from spammers that use my address for their From: could make my Bigfoot address unusable soon.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>