Home

SPF Overview

Issue 120

From Issue #120
April 2004

Apr 01, 2004  By Meng Weng Wong
 in
You can help eliminate the spam problem by making it easy to detect forgeries. Protect your e-mail address reputation with a simple DNS technique.
Why Do People Use SPF?

Big domains, including ISPs, banks and well-known brands care about controlling their trademarks. They have an obligation to protect their names. Altavista.com publishes an SPF record as do AOL and Oxford. More domains get on the bandwagon every day. Smaller domains publish SPFs simply because they don't want to be joe-jobbed.

On the receiving end, ISPs upgrade their MTAs and turn on SPF simply because it means less forgery—less spam, worms and viruses. Their bandwidth costs go down, too, because SPF lets them cut off the spammer before data is transmitted. They don't have to perform any cryptography or verify any signatures. SPF saves money.

Adoption

By the time this article is published, SPF support should be either bundled in or available as a downloadable plugin for the latest versions of SpamAssassin, Postfix, Sendmail, Exim and qmail. Commercial antispam vendors have committed to support SPF; Declude JunkMail, for one, reports that SPF is successfully blocking spam in the field.

If all goes well, the SPF standard will be published as an RFC in the near future. But thousands of domains, including some quite large ones, already publish SPF records. There's no reason to wait; you should publish SPF today.

SPF and Conventional Antispam Methods

DNS blacklists or blocklists (DNSBLs): IPv4 space is 32 bits wide; 232 is about 4.2 billion—4.2 billion grains of sand would just about fill a pickup truck. Imagine trying to paint each individual grain black or white. IP-based blacklists are a valiant effort, but they operate at too low a level. A good DNSBL has to decide whether an IP address is spammy and get it right for each of the 4.2 billion IP addresses. No wonder DNSBLs come and go—their maintainers burn out and give up.

Right-hand side blacklists: RHSBLs use domain names, whereas DNSBLs use IP addresses. Domain names are a much better way to identify entities on the Internet, but RHSBLs haven't been quite as popular as DNSBLs. Why not? Spam doesn't come from spammer.net. It's forged from yahoo.com. That's why SPF helps: if spammers send mail with their true names, blocking them becomes trivial.

Address verification: at MAIL phase, you can check the validity of the envelope sender by attempting to send a test message to it. If the test comes back user unknown, you might not want to accept the message. This is useful because spammers often make up addresses at random. But as address verification becomes more common, spammers can be expected to forge actual addresses—all the more reason to use SPF.

Signature solutions: PGP/GPG and S/MIME users sign their messages. Recipients can check signature validity by downloading keys from a key server. Other schemes have been proposed in which the DNS itself acts as the repository for public keys. These solutions are good because .forward files continue to work without modification. They are bad, however, because a message has to cross the pipe, costing bandwidth and CPU, before its legitimacy can be determined. In any case, a domain that uses these mechanisms still can use SPF to announce that any messages without a signature should be rejected.

Challenge/response: you don't want to send challenges to spam, especially not forged spam. If SPF tells you a sender address definitely was forged, you can junk the message without bothering to challenge it.

Meng Weng Wong is founder and CTO of pobox.com, the e-mail-forwarding company, which celebrates its tenth anniversary this year. He is working on a science-fiction novel set on a planet where traditional fantasy magic turns out to be implemented, following Clarke's famous dictum, using nanotechnology.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: SPF Overview

Anonymous's picture
Submitted by Anonymous on Mon, 04/26/2004 - 02:00.

I read this article after reading the May 2004 article because my subscription just started up. So, interestingly, everything seemed to flow. Thank goodness Linux Journal posts their articles!

I found this one here because I read the other article and thought "Hey, I need to do/learn this! Where's that previous article." A few clicks later, there it was. :)

I can understand the first person's frustrational comment about the definition of SPF. I explained a little of what I was doing to my signifigant other, and the initial response, after defining SPF, was "Oh, I thought it was like sunblock. You know, like SPF-15, SPF-45.."

In a way, it is like sunblock. It prevents your systems from burning up from processing all of that spam!

Re: SPF Overview

Anonymous's picture
Submitted by Anonymous on Fri, 04/23/2004 - 02:00.

Just for the record, the other half of this article, which is obviously more detailed due to the complexity (setting up the email side of thigns), is in the April issue:

http://www.linuxjournal.com/article.php?sid=7328

SPF?

Anonymous's picture
Submitted by Anonymous on Sun, 03/21/2004 - 03:00.

I don't believe this article even once tells us what SPF stands for.* Perhaps it means nothing, the latest fad in (non-) acronyms.

How did this piece make it past an editor?

*For the frustrated reader: it stands for Sender Policy Framework.

Re: SPF?

Anonymous's picture
Submitted by Anonymous on Mon, 04/05/2004 - 02:00.

You seem to be in the possession of Internet access... A quick trip over to spf.pobox.com would have answered your question rather quickly ;)

Re: SPF?

Anonymous's picture
Submitted by Anonymous on Tue, 04/20/2004 - 02:00.

I think you are missing out on some experience when it comes to technical writing. Technical lingo should be explained, but not to the depth of the PDR (Physician's Desk Refeence). Because the industry is so acronym-laden, many have found a common style to use the acronum once and place an explanation in parantheses afterwards, describing the acronym or term, but after that, to use the acronym (only) as the meaning has been explained. The initial reference can be seen in my reference to the PDR above.
And finally, but most importantly, material should be written|developed|edited so a reader doesn't have to read a sentence more than once for comprehension. Have you ever found yourself halfway into a sentence (technical, romance, etc. and say, "Huh?" then go back to the beginning of the sentence and start reading it again? That's an example of a bad book. Bad book! Bad bad book.

Re: SPF?

Anonymous's picture
Submitted by Anonymous on Mon, 03/29/2004 - 03:00.

I agree. Thanks for suppling the definition. I though the article was good.

White Paper
More Resources
Fabric-Based Computing Enables Optimized Hyperscale Data Centers

Today’s modular x86 servers are compute-centric, designed as a least common denominator to support a wide range of IT workloads. Those generic, virtualized IT workloads have much different resource optimization requirements than hyperscale and cloud applications. They have resulted in a “one size fits all” enterprise IT architecture that is not optimized for a specific set of IT workloads, and especially not emerging hyperscale workloads, such as web applications, big data, and object storage. In this report, you will learn how shifting the focus from traditional compute-centric IT architectures to an innovative disaggregated fabric-based architecture can optimize and scale your data center.

Learn More

Sponsored by AMD

White Paper
More Resources
Red Hat White Paper: Using an Open Source Framework to Catch the Bad Guy

Built-in forensics, incident response, and security with Red Hat Enterprise Linux 6

Every security policy provides guidance and requirements for ensuring adequate protection of information and data, as well as high-level technical and administrative security requirements for a system in a given environment. Traditionally, providing security for a system focuses on the confidentiality of the information on it. However, protecting the data integrity and system and data availability is just as important. For example, when processing United States intelligence information, there are three attributes that require protection: confidentiality, integrity, and availability.

Learn more about catching the bad guy in this free white paper.

Learn More

Sponsored by DLT Solutions