On 10/04/2010 11:47 AM, Greg Whynott wrote:
A partner had a security audit done on their site. The report said they were at risk of a DoS due to the fact they didn't have a SPF record.
We publish a ~all record for our domain. I think it's bad practice to publish any other result because you're making assertions which are almost definitely untrue. +all implies that anywhere on the internet is a valid origination, and -all implies you are certain nothing else could ever send an email on behalf of your domain. The most common situation where another host sends on your domain's behalf is a forwarding MTA, such as NANOG's mailing list. A lot of MTAs will only trust that the final MTA handling the message is a source host. In the case of a mailing list, that's NANOG's server. All previous headers are untrustworthy and could easily be forged. I'd bet few, if any, people have NANOG's servers listed in their SPF, and delivering a -all result in your SPF could easily cause blocked mail for anyone that drops hard failing messages. If you're going to filter using SPFs, I believe best practice is to consider all mail from a +all or neutral record the same as mail that soft or hard fails a ~all or -all record. By filtering, I mean I would simply subject those messages to additional testing, but never block exclusively based upon an SPF result. I would just ignore SPF and that's what I do on MTAs I configure. All you'll really be preventing with SPF is some backscatter and messages which forge the source information for domains that have even bothered to publish accurate records. A huge amount of the spam you get will pass SPF (or return neutral) and possibly pass DKIM as well because the big spam operations register new domains and set up SPF before they start spamming. -- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867