PDA

View Full Version : Can SPF be added to westhost please..



AUS-CITY
07-26-2004, 06:18 AM
Hey,

Seen this site?
http://spf.pobox.com/

Its stopping faked addresses using your domain names. Can this be implemented at westhost? It only involves being able to add plain text entries to your DNS record.

eg

domain.name. IN TXT "v=spf1 a mx ptr -all"
mail.domain.name. IN TXT "v=spf1 a -all"
mail.westhost.com. IN TXT "v=spf1 a -all"

Thanks!

WestHost - RSimpkins
07-26-2004, 11:31 AM
AUS-CITY,

WestHost does support SPF records. If you will send a support request to technical support it can be sent to an admin and taken care of (or you can PM me with any ticket numbers). As of right now there is no way to add/edit SPF's through the site manager (SPFs are still relatively new), but we are more than happy to do it for you.

We have had other clients use SPF records with great success. Please keep the forum informed about your results. I'm sure we all would be interested to hear about anything that can reduce the amout of SPAM in our in-boxes.

jalal
07-26-2004, 02:31 PM
Its a great idea.

But it is a two stage process.

1. Add in SPF records for DNS servers, this is what Ryan is addressing above. This helps others to not recieve spam that comes from us.

2. Add SPF support to the MTA. In english that means we need a different version of sendmail installed, that will check the SPF records of other servers before accepting an email.

So, Ryan, any chance of part two being taken care of as well???

WestHost - RSimpkins
07-26-2004, 04:25 PM
Jalal,

A new version of sendmail is in the wishlist. We support "part 1" -- part 2 is a little more difficult to support just yet (still a bit new, but gaining wider adoption).

jalal
07-27-2004, 01:06 AM
Great news Ryan.

It could also be a strong selling point for Westhost and for the Resellers.

thanx

AUS-CITY
07-27-2004, 03:17 AM
Westhost,

Wonderful news and thanks!!! I will send a support ticklet in with the SPF record I want added to the DNS, and thanks again!

Exciting news the rest of move forward for SPF is in the wishlist, great news!!!

Cheers,

David

dansroka
07-28-2004, 08:24 AM
Does this system work when your ISP insists that you send mail via their SMTP server?

jalal
07-28-2004, 02:07 PM
There is a lot of interesting info on the site:
http://spf.pobox.com/

Here is a brief excerpt from the "How It Works" page:
=============
Have you ever gotten spam from yourself? I have, and I've been thinking hard about how to stop it! I didn't send it. It came from a spammer. If we could stop spammers from forging mail, we could easily tell spam from ham and block the bad stuff.

SPF makes it easy for a domain, whether it's an ISP, a business, a school or a vanity domain, to say, "I only send mail from these machines. If any other machine claims that I'm sending mail from there, they're lying."

When an AOL user sends mail to you, an email server that belongs to AOL connects to an email server that belongs to you. AOL uses SPF to publish the addresses of its email servers. When the message comes in, your email servers can tell if the server on the other end of the connection belongs to AOL or not.

And that's it! SPF aims to prevent spammers from ruining other people's reputations. If they want to send spam, they should at least do it under their own name.

And as a user, SPF can help you sort the good from the bad. Reject mail that fails an SPF check. Use it to help your spam filters make a decision. Have confidence that mail that SAYS it's coming from your bank, your credit card company, or the government really is!

If you do get spam that passed an SPF check, then you know you should hold the sending domain responsible for the message.

For more information, please see the FAQ."
===============

wildjokerdesign
07-28-2004, 03:54 PM
Well I went ... I read..... ahhhh so what do I do now. :? This seems like a really good idea but email and MX records still lose me a bit. I'll keep plugging away at it but my fear is that we end up with another APP in the system that confuses the average user.

I went to the wizard on the site to create a record and was not sure of the yes and no answers on some of the questions. I really want to learn more about this and understand it so I'll go back and spend a couple hours reading and then most likely be back to ask more specific questions in the email management area. :)

AUS-CITY
07-29-2004, 06:52 AM
Basically unless you add a SPF entry to your domain name, then anyone can SPAM using your domain name..

Normally a simple entry such as :

domainname.com. IN TXT "v=spf1 -all"

This basically only allows only mail to origionate from the domains own server only.

If your unsure add the a, mx and ptr flag. This still protects you but leaves it less strict, allows any servers in the mx, a and ptr records to send mail on behalf of your domain.

domainname.com. IN TXT "v=spf1 a mx ptr -all"

If you wan to add support from sending mail from your ISP SMTP server add the include: for the smtp server....

domainname.com. IN TXT "v=spf1 a mx ptr include:myISPsmtp.com -all"

Hope this helps!

WestHost - RSimpkins
07-29-2004, 09:18 AM
I'm not an SPF record expert, but does anyone know if it's possible to accidental block your ability to send e-mail altogether? This is what I'm thinking: If you always send e-mail through your ISP with a reply-to or from containing your domain, and you don't include your ISP's MX domain in the SPF when you first set it up - you won't be able to send e-mail to some networks until it's cleared up. This can be additionally problematic if you have been able to send e-mail using WestHost's SMTP servers, and then your ISP blocks port 25. If your SPF didn't include your ISP's SMTP servers when you first set it up, you will need to get that fixed before you can e-mail some networks.

Does this sound reasonable to anyone?

If this is the case please keep in mind that it can take up to 24 hours for DNS changes to propagate. If you were to mess something up, you might find out that you will be blocked from sending mail to certain networks for several hours. Caveat emptor.

Perhaps someone can tell me if I am incorrect or not.

wildjokerdesign
07-29-2004, 10:15 AM
Ok I was going to post down in the other thread but it seems this is where the diolouge is happening.

Am I right in assuming that ptr is what we call aliases here in the Site Manager under domain management? So if you have that flag set it looks to see if you have say mail.domain.com set up and allows that?

I kind of wondered about the include: also. Although I connect to the internet using Roadrunner I never use them to send out email (I think) I have my Outlook set up to connect to mydomain.com for incomeing and outgoing mail. Like RSimpkins mentioned if Roadrunner for some reason changed thier setup and required that I go throught thier server to send mail then I would have to make that change right? I don't think they would do that and is one reason I do use Roadrunner but kind of wonder if it would be worth it to go ahead and add them in wich then leads to the question "What do I add to include:?" I think it would be rr.com but not sure if that covers it or not. Is there a way for the average user to figure this out? I picked up on the rr.com since when I went to the wizard on the SPF site it inserted that into the first field for me so figured it was reading my IP number and doing it for me.

Is the difference between a: and include: that the a: should have IP numbers and the include: is a domain name?

Ok the last question for now is if you have a domain that you has a lot of different email addresses for different users set up on it then that would mean that the include: could get pretty big and complex depending on how many different users you had and what ISP's they use. Guess that is not so much a question as I can see that WestHost may be hesitant to implement this since unless a website user was really knowledgeable they could end up with some problems. I can think of one of my users that knows they can add email accounts via thier Site Manager but would are even more confused (if that is possible) then I am when it comes to anything beyond that. They could add an email account for a user on another ISP that required going through thier mail system and not realize they had to make a change to the SPF record.

This is a great idea and needs to be implemented it is just figureing out all the ends and outs of it. :)

dansroka
07-29-2004, 09:31 PM
This does sound like a cool concept, but I agree with Ryan... I have a voice in my head going "Danger Will Robinson!". I think I'll avoid this for now... wait until I have the time to really understand the implications. (I write this as I am trying to put our 6 week old son to sleep... so mental focus ain't my strong suit right now! )

AUS-CITY
07-30-2004, 03:01 AM
Well I have added the record and all the fake crap bounces saying I sent crap I did not have all stopped along with non existant names on the domain. If your ISP blocks port 25 you need to be aware, but personally if my ISP blocks one single port I will find another..

I am free to use what ever smtp server I choose. Why should I HAVE to use some overloaded ISPs one.

Its up to the user to firewall and block / protect things not the ISP.

FZ
08-01-2004, 11:44 AM
I have a question:

I use my WestHost account's SMTP server. However mail I send through still contains a second Received: header which looks like this:


Received: from [196.30.237.xxx] (rdg-dial-196-30-237-xxx.mweb.co.za [196.30.237.xxx])
(authenticated)
by impenetrable.org (8.11.6/8.11.6) with ESMTP id i71HeT715218
for <myusername@mweb.co.za>; Sun, 1 Aug 2004 11:40:29 -0600

That appears below this header:


Received: from impenetrable.org (impenetrable.org [69.36.163.118])
by postwall05.mweb.co.za (Postfix) with ESMTP id 9E7AF5E35
for <myusername@mweb.co.za>; Sun, 1 Aug 2004 19:40:33 +0200 (SAST)

In fact, there are at least 3 or 4 other Received: headers that seem to be various firewalls/virus/spam filters set up by my ISP.

So, my question is this: in my case, would I need to add my ISP as an include: in my SPF records?

wildjokerdesign
08-01-2004, 11:52 AM
Is that on mail that you send to other people? Or just on the mail that you are recieveing?

FZ
08-01-2004, 12:01 PM
Mail I send via my WestHost account SMTP...

wildjokerdesign
08-01-2004, 12:30 PM
I would think that since irt seems the last server it passes through is your WestHost account that it would be ok. What I can't understand is that if you have your email programs Outgoing mail [STMP] set to your WestHost domain why it would be filtered through your ISP's system. Guess I am not the best one to answer this question or even attempt to. :)

FZ
08-01-2004, 12:44 PM
I would think that since irt seems the last server it passes through is your WestHost account that it would be ok.

That's what I was thinking as well.


What I can't understand is that if you have your email programs Outgoing mail [STMP] set to your WestHost domain why it would be filtered through your ISP's system.

The "extra headers" I mentioned in my post are added by my ISP since they run all sorts of virus and spam filters - those are added to all incoming mail anyway, so I guess they don't apply.

Thanks.

dansroka
08-01-2004, 01:15 PM
Exactly my question. I also have several users, each with an email account that goes through a different ISP. I suppose I would need to know all of these various servers to set up the SPF correctly.

wildjokerdesign
08-01-2004, 01:25 PM
Yes dansroka if they are sending the mail through there ISP and not the WestHost account then you would need to add them to the include: I'm pretty sure.

You could have your users set up thier email client to send via the WestHost account. If they are doing that then I think it is ok and you would not have to add the ISP's to the record.

Remember at this point the SPF record is not being used to check incomeing mail to your server it is simply being used by other servers that do check before they accept mail. Hopefully WH well be able to get that integrated in to our accounts soon.

I'm drawing my conclusions from what I read on this page: http://spf.pobox.com/whatdoes.html

dansroka
08-07-2004, 08:07 AM
You could have your users set up thier email client to send via the WestHost account. If they are doing that then I think it is ok and you would not have to add the ISP's to the record.

The problem is that some ISPs do not allow this (Earthlink, for example) and require them to email through the ISPs SMTP server.

wildjokerdesign
08-07-2004, 09:14 AM
Yes in that case you would have to add them I am pretty sure. I think before I would add the record I'd contact my users and see if they are haveing to go through their ISP to send email and then add those to the record.

bruce.binder
08-09-2004, 03:12 PM
Regarding the issue of sending outgoing e-mail through your own ISP with a "From:" header of your Westhost domain, I believe it will work okay and not be rejected by other sites. You should *not* need to add your ISP to your SPF record.

The reason is that the SPF protocol is designed to verify the server name contained in the "envelope" of the e-mail message, not the server name in the "From:" header. At the time that the recipient's sendmail (or whatever they are using) is deciding whether to accept or reject the message, the headers and body of the message have not yet been received.

If you use the SMTP server of your ISP, it will be your ISP's server name that gets looked up and your domain is not involved.

See http://spf.pobox.com/faq.html#whichfield

Armadillo
08-24-2004, 08:12 PM
Westhost set up SPF for me. Thanks Westhost.
:D
I turned my catch-all back on, now I'll find out if SPF helps.
It probably would have helped with that spam attack I had last week.

On a seperate note-
Those women on the Westhost main page are hot.
Are they single, and do they like guys with web sites?

wildjokerdesign
09-05-2004, 07:55 PM
Just wanted to bump the thread to the top since we seem to be getting others interested in this topic. Hopefully they'll see it and be able to get some answers.

jalal
09-07-2004, 10:34 AM
And a news story on the BBC:
http://news.bbc.co.uk/2/hi/technology/3631350.stm

wildjokerdesign
09-07-2004, 11:44 AM
Interesting article. Seems to show that you need to use more then one method to control spam that is sent to you. At least it seems to be helping to keep spammers from spoofing domains.

Hopefully between using an SPF record, a solid SA instulation kept up to date and other pervention methods spam can at least be kept under control.

I don't think there well ever be any one method that can control spam since as mentioned in the article the spammers continue to modify thier methods.

The "see also" articles on the page where interesting. The 'DNA analysis' sounds as if it could be promiseing. The article about US tops league of e-mail spammers states at the bottom that 40% of all spam is sent by individual's PC that are not even aware of it. Anymore most of the spam I recieve seems to fall in this catagory. I can tell since the email address is one that would only be know to the membership of some of my sites. Some how either the address has been harvested from thier local machine or it is being used to send out the mails. Not sure if this can ever be controlled since the avarage user seems to have very little knowledge of thier system and how to control it.

rbayless
09-08-2004, 11:03 PM
I am going through the SPF setup (http://spf.pobox.com) and this is what I came up with :

"v=spf1 a mx include:cox.net -all"

and I am ASSuming WestHost runs BIND so this is what they would need :

baylessweb.com. IN TXT "v=spf1 a mx include:cox.net -all"

From my understanding, basically it is all the default info but it also states that I can send mail through my Cox.net SMTP server but using my baylessweb.com e-mail addy from my From: address ..

Does this look and/or sound right?

:D

Thanks,

Richard

wildjokerdesign
09-09-2004, 06:45 AM
The only thing that you are missing is the ptr wich says from what I understand that anything.mydomain.com can send mail. I added it any since I was not sure of one if even the alias www.mydomain.com may sometimes be seen as sending out mail and that it would need to the ptr to allow that. I also wanted to cover if I set up subdomains on the accounts I set up. I don't think it hurts anything to have it there. So if you added it your record would look like this.

baylessweb.com. IN TXT "v=spf1 a mx ptr include:cox.net -all"

rbayless
09-09-2004, 06:22 PM
wildjokerdesign,

Thank you! I also have 2 other domains for that same account that are using the local mail server (baylessweb.com) .. now I am assuming I would need to setup additional strings for those domains as well, correct?

Richard

dagmoon
09-13-2004, 04:27 PM
Over the past week or so one of my domains with WH has been the target of sapmmers using forged headers, to the tune of about 40-50 bounced messages a day. Best I can tell, it is the nasty handywork of some outfit in Russia who has decided to pick on my poor, non-profit domain name to lure users to their credit card theft site.

I've made a request with WH to set up the SPF record on this domain (and will do others after I'm comfortable with the change).

But that's only half the solution, isn't it? It looks like all the big boys are in the throes of implementing SPF fully -- for example AOL's dicussion here:
http://postmaster.aol.com/spf/details.html

Is it possible that those of us that don't validate SPF (like us at WH) will be special targets to receive more spam when AOL, Yahoo, etc. stop accepting email that doesn't pass the SPF test?

wildjokerdesign
09-13-2004, 04:39 PM
What the big guys are doing it checking SPF records to make sure that email being sent out is from the domain it claims to be. So if you have an SPF record set up then you are good to go.

Say some spammer has forged the header to make it look like the mail is coming from your domain and sends it to a bunch of accounts on aol. When aol checks your SPF record it is going to know that the email did not come from you and not accept it. From what I understand you do not get the bounce back since aol could tell that the email did not originate from your domain due to your SPF record.

The record actually gives you some protection against spammers forgeing headers with your information. Once it is set up on the account you mentioned you should see a decrease in the bounce backs you are getting.

dagmoon
09-13-2004, 05:09 PM
Yes, thanks Wildjoker.

What I'm wondering, though, is if AOL, Yahoo, MSN etc check SPF and spammers know it, wouldn't that make our addresses more valuable to spammers? I'm sure it would take nothing to separate out the big-boys in their lists, leaving the rest of us sitting ducks for their extra attention, without SPF to protect our inboxes.

rbayless
09-13-2004, 05:11 PM
Yeah I had Ryan hook me up with an SPF record for my main domain name. I am still kind of curious about adding additional entries for my other 2 parked domain names.

Richard

wildjokerdesign
09-13-2004, 06:58 PM
Ok I guess I see what you mean but I don't think it is going to be an issue. I guess yes spammers may start removeing emails from thier databases that are at aol and other big companies but it still is not going to increase your chances of getting anymore spam on your accounts. Remember spammers are lazy. That is one reason you are getting bounces from places like aol. Many spam set ups are simply sending to ramdom names at say aol going on the assumption that for every say 50 they make up 1 works. If they are sending out millions they get a pretty good return. They may stop doing that now but they are not going to start doing it to your domain because the return would be too small... that is unless you have hundreds of email accounts on your domain. They want volume and that you don't have.

The only way I have heard that spammers are possibly going to try and take advantage of this is that they are going to create thier own SPF records for thier domains. That still means they have to send it through thier record and effectivly stops the spoofing or forgeing of domains.

Yes being able to check SPF records for our incomeing mail is going to give us anouther way to keep spam out of our own mailboxes and I know that WH is looking into to the possibility of that on the VPS.

SPF is still pretty young so it will be interesting to see how it evolves. I think when it comes to spam the best thing is to not expect only one thing to do the job. Protect your emails the best you can, never use forms that are not secure to send email on your site, use SA or Procmail to filter incoming mail at server level and use filters on your local machine.

wildjokerdesign
09-13-2004, 07:03 PM
Yeah I had Ryan hook me up with an SPF record for my main domain name. I am still kind of curious about adding additional entries for my other 2 parked domain names.

Richard

Do you send email via your parked domain? I would think that if not then there would be no need to create an SPF record for them. If you do then simply have WH set up records for them.

rbayless
09-13-2004, 07:50 PM
Currently I do not use the other two domains to send out mail. However, I wanted to setup SPF records for them so they don't become tainted so I won't have problems sending mail from those domains in the future.. do you see what I mean? Hehe.. In other words, I just want to do it for protective measure. I like the idea of SPF, and know that it is new, so I just want to stay on top and not let any spammers or whoever taint my domain names.

:D

Richard

wildjokerdesign
09-13-2004, 08:12 PM
rbayless
You might take a look in /var/named to check and see if WH didn't add the others by default. That is where the zone file is. On the account I had it done I only have the main domain so there is only one file in there not sure if with parked domains if you get one for each or not.

I agree with you that you should go ahead and have records set up for each can't hurt and then it is already done if you decide to use them for mail.

rbayless
09-14-2004, 12:46 AM
wildjokerdesign,

Thank you again for your knowledge. I apologize for my ignorance regarding this and any future questions I might have..lol.

Richard

jdiesel
10-12-2005, 02:35 PM
Just for the record: I will always want the option to recieve email regardless of the SPF record. I detest server-side spam blocking. This is one of the main reasons I am now using WestHost. It seems that I was unable to recieve some emails at my last webhost, because the sending domain did not have an SPF record. So I lost business, and the senders gave up contacting me.

Since I can't control who properly installs SPF, I have to assume that most of the companies I deal with are not up-to-date. Since I am frequently called in to troubleshoot IT problems (in the LA area), I know for a fact that most IT departments are sadly lagging in this area.

So, I prefer to get lots of spam in my box, as opposed to losing potential customers. Unfortunately, this is not hypothetical, it is happening.

PLEASE do not reject incoming emails, or at least allow us to the option of server-side spam control.

Armadillo
10-12-2005, 06:09 PM
Westhost will setup an SPF record for you if you submit a support request with the text you want added.

I do not think the server can be configured to check incoming mail for SPF though. It is only set up so others can verify the authentisity of mail claiming to be from you.

One of my sites has an SPF record and it has reduced the amount of fake bounce-back spam I was getting.

wildjokerdesign
10-13-2005, 04:21 PM
Armadillo is right. The only thing that WH currently offers is setting up the record for your site. This has nothing to do with email you recieve via your web account. The only thing that it "may", notice I say may, help with is if a company does check for SPF records that you send email to it would be more likely that they would accept your email.

kipb
10-22-2005, 02:34 PM
I'd like to have SPF too! This will help the legit mail get through.

Sender ID Home Page:
http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx

also,
http://www.microsoft.com/presspass/press/2005/mar05/03-02SIDFPR.mspx