Re: Question about SPF email filtering

[Derek Diget <derek.diget+educause-security () WMICH EDU>]

On Feb 9, 2012 at 17:16 -0000, Dye, Jan wrote:
=>I'm just curious to see how many of you have enabled SPF filtering on 
=>your email systems?

We quarantine on SPF "fail".  (There is plans to SMTP reject.)


=>We recently enabled this, and the result is that we have many support 
=>tickets from users who no longer receive mail from rejected senders. 
=>These senders are legitimate, however, they have "bad" SPF records.

We did this a could of years ago.  There have been a few issues.  
Mostly with students/faculty forwarding from their previous .edu.  (We 
tell them to go fix the address they have in Facebook, banks, etc to be 
their @wmich.edu address.)  Another top issue would be user's wanting to 
use one address (like previous broadband provider) with their new 
broadband provider's MSA.  Once they get the "profile" set up in their 
MUA to use MSA-X for X address and MSA-Y for Y address, they are all 
set.


=>We're wondering how other institutions are handling this, and if SPF 
=>checking is really worth it.

It is just one more tool to use.  For us, where we seem to see it help 
is for the first messages in phishing runs for NACHA.org, FDIC, IRS and 
other money phishing.  Within a few minutes our anti-spam starts 
blocking them, but the SPF check catches the ones that get through it.


=>If I've posted this on the wrong list, please let me know.

Probably would also want to post to the Higher Education Email 
Administration list hosted at Notre Dame.



Note, that SPF is currently being updated from Experimental to a 
Standards Track protocol by the SPFbis IETF working group.  (It was just 
chartered last week.)


-- 
***********************************************************************
Derek Diget                            Office of Information Technology
Western Michigan University - Kalamazoo  Michigan  USA - www.wmich.edu/
***********************************************************************