AW: AW: SPF Configurations

[Andre Engel]

John,

 -Ursprüngliche Nachricht-
 Von: John R. Levine [mailto:jo...@iecc.com]
 Gesendet: Samstag, 5. Dezember 2009 01:54
 An: Andre Engel
 Cc: nanog@nanog.org
 Betreff: Re: AW: SPF Configurations
 
  Right.  The only major mail system that pays attention to SPF is
  Hotmail, but there are enough small poorly run MTAs that use it that
  an SPF record which lists your outbounds and ~all (not -all) can be
  marginally useful to avoid bogus rejections of your mail.
 
  For example :
  [ various large ISPs that publish SPF ]
 
 Perhaps this is a language problem.  In English, publishes is not a
 synonym for pays attention to.  As I said, you need to publish SPF
 to get mail into Hotmail.  That's why people do it.

As I said im almost german :-)
  
Some major providers ,11 for example, assigned their customers the
responsibility to pay attention on SPF for getting mails into their
boxes.(decision between suspicious or not)   

  I know there is a problem so far with forwarded emails but there is
 also a
  solution :
  [ hoary SRS proposal to change every SMTP server in the world to make
 them
  match what SPF does ]
 
 Sigh.

I do not want to change every SMTP servers in the world. I just gonna show
an useful option .-)

  Every time a mail arrives that is an SRS address the password and
 timestamp
  could be checked, and faked or outdated recipients could be rejected.
 
 You might want to look at BATV, which has nothing to do with SPF, but
 I have found is quite useful for recognizing spam blowback.


Sure ! For instance If your are providing an mail cluster for your customer
bills, a newsletter server or a cooperated
mail cluster and you know that you are sending emails only to receivers
email boxes BATV is indeed a awesome tool.
 
But if you are performing a shared mail cluster for your webhosting or your
Dial in customers which are using for instance some special kinds of mailing
lists maybe you need a additional solution.

From a reputation perspective Id like the idea to combine a set of anti spam
tools if it is useful.
Indeed MAAWG is not the badest place to learn about.


 R's,
 John
 
 PS:
 
  This message (including any attachments) is the property of FHE3 and
 may
  contain confidential or privileged information. Unauthorized use of
 this
  communication is strictly prohibited and may be unlawful. If you have
  received this communication in error, please immediately notify the
 sender
  by reply e-mail and destroy all copies of the communication and any
  attachments.
 
 Our policy is to send messages with confidentiality notices to all of
 your competitors.

Sure! Im here to learn *** .-)


Cheers

Andre 



 --
Andre Engel

Consulting Program Director, 
Email and Cyber Intelligence Services..no space left on the
device/Kein Weltraum links auf dem Gerät


FHE3 GmbHP: +49 721 869  5907
Scheffelstr. 17a M: +49 160 962 44476 
76135 Karlsruhe


andre.en...@fhe3.com
http://www.fhe3.com/

Amtsgericht Mannheim, HRB 702495
Umsatzsteuer-Ident: DE254677931
Geschäftsführer: Peter Eisenhauer, Michael Feger, Dimitrij Hilt

***
This email is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE ,...

AW: SPF Configurations

[Andre Engel]

John ,

Nice to meet you :-)

 Right.  The only major mail system that pays attention to SPF is
 Hotmail, but there are enough small poorly run MTAs that use it that
 an SPF record which lists your outbounds and ~all (not -all) can be
 marginally useful to avoid bogus rejections of your mail.

For example :

host -t TXT hotmail.com
hotmail.com TXT v=spf1 include:spf-a.hotmail.com
include:spf-b.hotmail.com include:spf-c.hotmail.com
include:spf-d.hotmail.com ~all

host -t TXT google.com :
google.com  TXT v=spf1 include:_netblocks.google.com
ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all

host -t TXT amazon.com :
amazon.com  TXT v=spf1 ip4:207.171.160.0/19
ip4:87.238.80.0/21 ip4:72.21.193.0/24 ip4:72.21.196.0/22 ip4:72.21.208.0/24
ip4:72.21.205.0/24 ip4:72.21.209.0/24 ip4:194.154.193.200/28
ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24 ~all
amazon.com  TXT spf2.0/pra ip4:207.171.160.0/19
ip4:87.238.80.0/21 ip4:72.21.193.0/24 ip4:72.21.196.0/22 ip4:72.21.208.0/24
ip4:72.21.205.0/24 ip4:72.21.209.0/24 ip4:194.154.193.200/28
ip4:194.7.41.152/28 ip4:212.123.28.40/32 ip4:203.81.17.0/24 ~all

host -t TXT ebay.de :
ebay.de TXT v=spf1 mx include:s._spf.ebay.com
include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com
~all
ebay.de TXT spf2.0/pra mx include:s._sid.ebay.com
include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com
~all

host -t TXT 1und1.de :

TXT v=spf1 ip4:82.165.0.0/16 ip4:195.20.224.0/19 ip4:212.227.0.0/16
ip4:87.106.0.0/16 ip4:217.160.0.0/16 ip4:213.165.64.0/19 ip4:217.72.192.0/20
ip4:74.208.0.0/17 ip4:74.208.128.0/18 ip4:66.236.18.66 ip4:67.88.206.40
ip4:67.88.206.48 ~all

host -t TXT gmx.com :
gmx.com TXT v=spf1 ip4:213.165.64.0/23
ip4:74.208.5.64/26 ip4:74.208.122.0/26 -all

host -t TXT enterprisemail.de :
enterprisemail.de   TXT v=spf1 a:mout.enterprisemail.de -all

etc

 As everyone here should already know, the fundamental problem with SPF
 is that although it does an OK job of describing the mail sending
 patterns of dedicated bulk mail systems, it can't model the way that
 normal mail systems with human users work.  But so deep is the faith
 of the SPF cult that they blame the world for not matching SPF rather
 than the other way around, believing that it prevent forgery, having
 redefined forgery as whatever it is that SPF prevents.  As the
 operator of one of the world's more heavily forged domains (abuse.net)
 I can report that if you think it prevents forgery blowback, you are
 mistaken.

You do know that I love they way abuse.net flys:

In mind of the following situation for instance a infection vector around
millions of bots which are sending millions 
of forged mails within evil polymorphic files camouflage as your customers
bills you
will be glade to enforce the directive -all for a while .

Sorry Im almost german :
http://www.heise.de/security/meldung/1-1-warnt-Kunden-vor-gefaelschten-Rechn
ungen-131420.html


I know SPF is not the answer of all but sometimes it helps to secure a
little bit of yours critical customers infrastructure and sometimes it
helps to save your operative resources .



I know there is a problem so far with forwarded emails but there is  also a
solution :


The solution could be to rewrite the envelope from of all forwarded mail so
that the given domain is a local domain with matching SPF records to the
originating mail server (or no SPF records at all). You have to transform
the original envelope from into a localpart and add some special local SRS
domain to it.

Find http://spf.pobox.com/srs.html http://spf.pobox.com/srs.html  and
http://www.libsrs2.org/ http://www.libsrs2.org/  for a full description of
SRS.

In practice

andre.en...@fhe3.com could receiving an email from mist...@google.com where
andre.en...@fhe3.com could be forwarded to andre.en...@hotmail.de. Before
forwarding the email to the hotmail server I could rewrite the envelope-from
from mist...@google.com mailto:mist...@google.com  to
google.com=mist...@srs.enterprisemail.de srs.enterprisemail.de could be a
valid domain for mails originating from our main mail
clusters(enterprisemail) so possible SPF checks at hotmail would not bother.

In case a bounce is generated at hotmail it could  be delivered back to the
SRS address, thus to our enterprisemail main mail cluster, where we would
recognise the SRS scheme and un-rewrite it back to mist...@google.com and
deliver the mail onward to the mist...@google.com mail system.

But in the real world the rewriting isn't that simple as stated in the
previous section. In fact you have to add some kind of checksum where the
original mail address is mangled with a secret password, and a time stamp
that makes the SRS address valid for some period of time.

The mail address from above could look more like this:

srs38=ldl23v=tz=google.com=mist...@srs.enterprisemail.de

Re: AW: SPF Configurations

[John R. Levine]

Right.  The only major mail system that pays attention to SPF is
Hotmail, but there are enough small poorly run MTAs that use it that
an SPF record which lists your outbounds and ~all (not -all) can be
marginally useful to avoid bogus rejections of your mail.


For example :
[ various large ISPs that publish SPF ]


Perhaps this is a language problem.  In English, publishes is not a
synonym for pays attention to.  As I said, you need to publish SPF
to get mail into Hotmail.  That's why people do it.


I know there is a problem so far with forwarded emails but there is  also a
solution :
[ hoary SRS proposal to change every SMTP server in the world to make them
match what SPF does ]


Sigh.


Every time a mail arrives that is an SRS address the password and timestamp
could be checked, and faked or outdated recipients could be rejected.


You might want to look at BATV, which has nothing to do with SPF, but
I have found is quite useful for recognizing spam blowback.

R's,
John

PS:


This message (including any attachments) is the property of FHE3 and may
contain confidential or privileged information. Unauthorized use of this
communication is strictly prohibited and may be unlawful. If you have
received this communication in error, please immediately notify the sender
by reply e-mail and destroy all copies of the communication and any
attachments.


Our policy is to send messages with confidentiality notices to all of
your competitors.