Educause Security Discussion mailing list archives
Re: SPF
From: Dave Koontz <dkoontz () MBC EDU>
Date: Tue, 8 Mar 2005 19:04:14 -0500
Hi Thersea. We've been running SPF for about 6-8 months now, and did this in conjunction with blocking outbound SMTP from on campus. As someone else noted, this is not a remedy for SPAM, rather for foiling spoofing / phishing types of emails. We are seeing more and more organizations beginning to publish their own SPF records, and it won't be until the majoriy of major organizations do that it will be really succesful. Thankfully, most of the larger ISPs and many large companies have now implemented it in either testing (soft fail) or full mode. I am particularly thank Hotmail has done so due to all the junk we saw. A couple things to be aware of: 1) Don't REWARD a good SPF Score in Spam Assassin or other Spam filtering software. Many Spammers have published their SPF records just to get by poorly configured filters. Score a good SPF record the same as a non-existant one for now. 2) Start off running in SOFT FAIL MODE (~all rather than -all) until you have everything worked out. 3) Don't allow your entire IP Range as "allowed" senders, only your MX records and known "special" services IPs. You don't want to legitimize a virus infected PC. Perhaps use this as a mechanism to implement SMTP AUTH and block port 25 except to your mail server. Use the SPF Wizard at http://spf.pobox.com/wizard.html 4) Monitor your domain's incoming mail that fail your own internal Domains SPF Check. You will likely find faculty posting email from their ISP as coming from their .EDU account. This is a great opportunity to move them over to SMTH AUTH and explain why they might be classified as SPAM by not only your domain, but many others. 5) If you allow your users to FORWARD email, this will break for any receiving server that runs SPF unless your mail server has the ability to rewrite the message headers. You will need to replace the FROM with the User () YourDomain edu and the TO with the ForwardedAddress () ForwardedDomain com addresses. 6) WEB FORMS! Not everyone is up to speed on this yet. You will likely get many messages trapped from Web Based services that send email FROM one of your users. These include the NY Times "Send to a friend" type articles, eCards, eBay Auction messages, Yahoo Groups, and even some eLearning Testing Engines like those from Thompson (could be very bad for Faculty). You may need to exclude or whitelist problematic ones. Other than these minor problems, it has been a very easy to setup system that has proven to be very benefical to our community, and it is getting better all the time as more organizations get onboard. --- Dave Koontz Associate Director, CIS Mary Baldwin College Staunton, VA -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa Semmens Sent: Monday, March 07, 2005 1:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] SPF Do any of you have SPF implemented? If so, have you had any issues or complications with it? Has your user community had any comments concerning it? Theresa Semmens, CISA IT Security Officer North Dakota State University IACC 210C Ph: 701-231-5870 E-mail: theresa.semmens () ndsu edu "If you believe you cannot do something, it makes you incapable of doing it. But when you believe you can, you acquire the ability to do it, even if you did not have the ability in the beginning." Mahatma Gandhi ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.