Hi, Are any of you admins out there running SPF, or something similar? http://www.openspf.org/ How well does it work for you? Today I started getting a large number of "undeliverable" responses due to spammers forging my email address in the From: address. Wondering if SPF is worth the trouble to set up. I'm using postfix, btw. Thanks, -Jamie
On Tue, Apr 01, 2008 at 11:48:35AM -0400, Jamie Guinan wrote:
Are any of you admins out there running SPF, or something similar?
How well does it work for you?
DKIM is the "new SPF" standardized effort backed by Yahoo!, Cisco, Sendmail, Inc. and others. It combines Yahoo!'s DomainKeys and another one whose name I forget now. If I were to set something up, I'd probably use DKIM, but I have no experience with it myself.
I run 4 Linux mailservers and do all my own DNS for multiple domains Yesterday (I think) one account on one domain got about 500 emails similar to what you described in a period of about 30 minutes. I have SPF records on many of my domains (because it was so simple to set up), and promptly added it to the DNS of the domain of the affected account. Today the number of such emails was down at least 10x, but I can't say for sure it was the SPF that did it. Dick
Hi,
Are any of you admins out there running SPF, or something similar?
How well does it work for you?
Today I started getting a large number of "undeliverable" responses due to spammers forging my email address in the From: address.
Wondering if SPF is worth the trouble to set up.
I'm using postfix, btw.
Thanks, -Jamie
From: Jamie Guinan <guinan@bluebutton.com>
Are any of you admins out there running SPF, or something similar?
This question is too hard for me. What is "running SPF"? I have these top secret records in my DNS zone file. keithdiane.us. IN MX 10 dsl.keithdiane.us. keithdiane.us. IN TXT "v=spf1 mx include:speakeasy.net ~all" (Don't tell anybody.) And I send all my mail through speakeasy, by which I mean that the SMTP server at keithdiane.us forwards through there as a "smart host". I don't use Speakeasy web mail, but if I don't forward through Speakeasy, too much mail gets rejected out of hand, just because it comes from a dsl line. (I think. (It's been a while since I tried it, and you never know exactly why you have been rejected.)) On the other hand, when a host sends mail _to_ my server, it does not check its DNS for SPF at all.
How well does it work for you?
Compared to what? I'm not sure how it works, because I've really never done it any other way. I do know that spam is way out of hand. I get over 100 a day of total stupid stink'n spam. (This does not count mailing lists that I am subscribed to that I do not actualy read; just really stupid crap in Russian, repetitious attempts to sell stuff I had better not mention for fear of falling into the WPI filter, usw) It's almost to the point where I might do something . . . soon. Real . Soon . . . Now . . -- Keith .
On Sun, Apr 6, 2008 at 1:46 AM, Keith Wright <kwright@keithdiane.us> wrote:
I don't use Speakeasy web mail, but if I don't forward through Speakeasy, too much mail gets rejected out of hand, just because it comes from a dsl line. (I think. (It's been a while since I tried it, and you never know exactly why you have been rejected.))
If that's the reason your mail gets rejected, it's pretty cheap to get yourself a domain name without hosting or co-lo. -- Rich
I've had a Speakeasy DSL for -- I think -- about 6 years. I've got two mail servers, serving more than half a dozen domains. I don't forward through Speakeasy and I've never had a problem with rejected mail. Of course my Speakeasy DSL has multiple static IPs, which might make a difference. Keith, I wish I only got 100 spam/day .. across all my accounts its closer to a million/year incoming Dick
On Sun, Apr 6, 2008 at 1:46 AM, Keith Wright <kwright@keithdiane.us> wrote:
I don't use Speakeasy web mail, but if I don't forward through Speakeasy, too much mail gets rejected out of hand, just because it comes from a dsl line. (I think. (It's been a while since I tried it, and you never know exactly why you have been rejected.))
If that's the reason your mail gets rejected, it's pretty cheap to get yourself a domain name without hosting or co-lo.
-- Rich
From: "Chaim The Squirrel Keeper" <richspk@gmail.com>
On Sun, Apr 6, 2008 at 1:46 AM, Keith Wright <kwright@keithdiane.us> wrote:
mail gets rejected out of hand, just because it comes from a dsl line.
If that's the reason your mail gets rejected, it's pretty cheap to get yourself a domain name without hosting or co-lo.
I send mail from a computer in my basement through a DSL line. There is no "hosting" or "co-lo" as I understand those terms, so I don't see the relevance of your comment. -- Keith
On Sun, Apr 6, 2008 at 4:03 PM, Keith Wright <kwright@keithdiane.us> wrote:
From: "Chaim The Squirrel Keeper" <richspk@gmail.com>
On Sun, Apr 6, 2008 at 1:46 AM, Keith Wright <kwright@keithdiane.us> wrote:
mail gets rejected out of hand, just because it comes from a dsl line.
If that's the reason your mail gets rejected, it's pretty cheap to get yourself a domain name without hosting or co-lo.
I send mail from a computer in my basement through a DSL line. There is no "hosting" or "co-lo" as I understand those terms, so I don't see the relevance of your comment.
The relevance is just that you don't need those extra-cost services to get a domain name. When you get a domain name, and set up your MX, reverse DNS, and other records properly, other mail servers recognize your mail server as being part of a legitimate domain instead of just an anonymous user of an ISP's IP address pool. -- Rich
From: "Chaim The Squirrel Keeper" <richspk@gmail.com>
On Sun, Apr 6, 2008 at 4:03 PM, Keith Wright <kwright@keithdiane.us> wrote:
From: "Chaim The Squirrel Keeper" <richspk@gmail.com>
On Sun, Apr 6, 2008 at 1:46 AM, Keith Wright <kwright@keithdiane.us> wrote:
mail gets rejected out of hand, just because it comes from a dsl line.
If that's the reason your mail gets rejected, it's pretty cheap to get yourself a domain name without hosting or co-lo.
I send mail from a computer in my basement through a DSL line. There is no "hosting" or "co-lo" as I understand those terms, so I don't see the relevance of your comment.
The relevance is just that you don't need those extra-cost services to get a domain name. When you get a domain name, and set up your MX, reverse DNS, and other records properly, other mail servers recognize your mail server as being part of a legitimate domain instead of just an anonymous user of an ISP's IP address pool.
Yes, that's a good idea. That's why I did it about four years ago. It works well, maybe sending mail through Speakeasy is not really necessary, but I seem to remember that I had a problem with rejected mail when I sent it from my own machine. Maybe something else was wrong, but it's not too broken now, so I don't fix it. -- Keith PS: The answer to the original question was that I use SPF for outgoing mail, but not incoming. It works, but maybe anything else would work as well. Maybe something else would work better. Outgoing SPF requires setting up a Domain Name Server. Once that works it's easy. Example zone records were in the original answer. Incoming SPF reqires setting up an SMTP server. Even after the SMTP server is working, setting up SPF is fairly complicated. Maybe there is a distribution that does most of the setup for you.
-----Original Message----- From: Keith Wright
Yes, that's a good idea. That's why I did it about four years ago.
It works well, maybe sending mail through Speakeasy is not really necessary, but I seem to remember that I had a problem with rejected mail when I sent it from my own machine.
Maybe something else was wrong, but it's not too broken now, so I don't fix it.
-- Keith
Hmm... Have you ever called Speakeasy and asked them to set up reverse DNS for you? I seem to recall that's something they have to do on their end.
PS: The answer to the original question was that I use SPF for outgoing mail, but not incoming. It works, but maybe anything else would work as well. Maybe something else would work better.
Outgoing SPF requires setting up a Domain Name Server. Once that works it's easy. Example zone records were in the original answer.
Incoming SPF reqires setting up an SMTP server. Even after the SMTP server is working, setting up SPF is fairly complicated. Maybe there is a distribution that does most of the setup for you.
Thanks for the reminder. Unfortunately, I don't have an answer to the original question. -- Rich
From: Richard Klein <richspk@gmail.com>
Hmm... Have you ever called Speakeasy and asked them to set up reverse DNS for you? I seem to recall that's something they have to do on their end.
Yes. As I said, that was all done years ago. Though actually I never called them. It was done via email. You might think that answering email would be the basic entry level requirement, the sine qua non/nada/zilch, that any moron would learn to do before becoming an ISP. Sadly, most Idiot Service Providers seem to be totally unable to answer email from customers. They are only interested in phone calls from people who have no email. Speakeasy has someone who knows what is and who answers email at 2am Sunday faster than most of them can get an sales droid to pick up the phone during business hours. Anyway, I run a primary name server while they run a couple of secondaries and reverse DNS. I think I may have an officially "dynamic" IP address, but it was set up before DHCP. Speakeasy gave me an address when I signed up and since then neither of us have had any reason to touch it. -- Keith
Chaim The Squirrel Keeper wrote:
The relevance is just that you don't need those extra-cost services to get a domain name. When you get a domain name, and set up your MX, reverse DNS, and other records properly, other mail servers recognize your mail server as being part of a legitimate domain instead of just an anonymous user of an ISP's IP address pool.
Except that, as Keith has experienced, and as I have also experienced, some systems recognize the sending IP address as coming from a block of known dynamically assigned addresses and reject the messages/connections even though all the domain info has been set up correctly. I have used TZO's services to work around this in the past. Highly recommended.
-----Original Message----- From: Doug Chamberlin
Except that, as Keith has experienced, and as I have also experienced, some systems recognize the sending IP address as coming from a block of known dynamically assigned addresses and reject the messages/connections even though all the domain info has been set up correctly. I have used TZO's services to work around this in the past. Highly recommended.
Ah, right. I forgot about that. I haven't run into that problem because I have a static IP address. -- Rich
participants (8)
-
Chaim The Squirrel Keeper -
Chuck Anderson -
Dick Goodman -
Doug Chamberlin -
Jamie Guinan -
Keith Wright -
Richard Klein -
Richard Klein