nanog mailing list archives
Re: do you use SPF TXT RRs? (RFC4408)
From: Kevin Stange <kevin () steadfast net>
Date: Mon, 04 Oct 2010 17:55:28 -0500
On 10/04/2010 11:47 AM, Greg Whynott wrote:
A partner had a security audit done on their site. The report said they were at risk of a DoS due to the fact they didn't have a SPF record.
We publish a ~all record for our domain. I think it's bad practice to publish any other result because you're making assertions which are almost definitely untrue. +all implies that anywhere on the internet is a valid origination, and -all implies you are certain nothing else could ever send an email on behalf of your domain. The most common situation where another host sends on your domain's behalf is a forwarding MTA, such as NANOG's mailing list. A lot of MTAs will only trust that the final MTA handling the message is a source host. In the case of a mailing list, that's NANOG's server. All previous headers are untrustworthy and could easily be forged. I'd bet few, if any, people have NANOG's servers listed in their SPF, and delivering a -all result in your SPF could easily cause blocked mail for anyone that drops hard failing messages. If you're going to filter using SPFs, I believe best practice is to consider all mail from a +all or neutral record the same as mail that soft or hard fails a ~all or -all record. By filtering, I mean I would simply subject those messages to additional testing, but never block exclusively based upon an SPF result. I would just ignore SPF and that's what I do on MTAs I configure. All you'll really be preventing with SPF is some backscatter and messages which forge the source information for domains that have even bothered to publish accurate records. A huge amount of the spam you get will pass SPF (or return neutral) and possibly pass DKIM as well because the big spam operations register new domains and set up SPF before they start spamming. -- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Re: do you use SPF TXT RRs? (RFC4408), (continued)
- Re: do you use SPF TXT RRs? (RFC4408) Owen DeLong (Oct 05)
- Re: do you use SPF TXT RRs? (RFC4408) Greg Whynott (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Michael Loftis (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) bmanning (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Rich Kulawiec (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Douglas Otis (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Suresh Ramasubramanian (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Greg Whynott (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) William Herrin (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Tony Finch (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Kevin Stange (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Stefan Bethke (Oct 05)
- Re: do you use SPF TXT RRs? (RFC4408) Douglas Otis (Oct 05)
- re: do you use SPF TXT RRs? (RFC4408) Nick Olsen (Oct 04)
- RE: do you use SPF TXT RRs? (RFC4408) Nathan Eisenberg (Oct 04)
- Re: do you use SPF TXT RRs? (RFC4408) Jared Mauch (Oct 04)
- RE: do you use SPF TXT RRs? (RFC4408) Nathan Eisenberg (Oct 04)