OT: Question

[Rick Cooper]

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ken A
> Sent: Friday, April 03, 2009 10:14 AM
> To: MailScanner discussion
> Subject: Re: OT: Question
> 
> Rick Cooper wrote:
> >  
> > 
> >> -----Original Message-----
> >> From: mailscanner-bounces at lists.mailscanner.info 
> >> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> >> Of Scott Silva
> >> Sent: Thursday, April 02, 2009 7:33 PM
> >> To: mailscanner at lists.mailscanner.info
> >> Subject: Re: OT: Question
> >>
> >> on 4-2-2009 3:37 PM Rick Cooper spake the following:
> >>>  
> >>>
> >>>> -----Original Message-----
> >>>> From: mailscanner-bounces at lists.mailscanner.info 
> >>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On 
> >> Behalf Of Ken A
> >>>> Sent: Thursday, April 02, 2009 4:42 PM
> >>>> To: MailScanner discussion
> >>>> Subject: Re: OT: Question
> >>>>
> >>>> Rick Cooper wrote:
> >>>>> Just a query regarding bounces: How many of you actually 
> >> bounce mail
> >>>>> anymore? I ask this question because I noted a huge number 
> >>>> of rejects on one
> >>>>> of my servers that appear to be valid bounce attempts to an 
> >>>> address of
> >>>>> info at mydomain.com for the last week or so. I have an ACL 
> >>>> that looks at the
> >>>>> local part of recipients and if that local part is being 
> >>>> used it denies the
> >>>>> message (even null sender) with a message stating there is 
> >>>> no such user and
> >>>>> it's an address currently being joe-jobbed. I see the same 
> >>>> ips repeatedly
> >>>>> attempting a bounce for days.
> >>>> I've got one: eqnjahdhx at domain.tld. We host the domain, 
> >> but of course
> >>>> they don't send the spam. They aren't even aware of it. 
> We are the 
> >>>> joe-jobbed victim. We don't accept the bounces, but they are
> >>>> annoying, and it's been going on for well over a year. I 
> >> tightened up 
> >>>> the SPF record, but I don't think that helped much. People 
> >>>> who accept, 
> >>>> then bounce mail will eventually learn, or be buried, I 
> >>>> think. The 550 
> >>>> error on this one now says "Please dont bounce forged spam". 
> >>>> That hasn't 
> >>>> helped either. It just takes time.
> >>>>
> >>>> Ken
> >>> [...]
> >>>
> >>> That is the frustration that I feel. Pick a list having 
> >> something to do with
> >>> mail, SA, Exim, pretty much any and you will hear people 
> >> stating what a
> >>> waste of time SPF is but when it comes to something like 
> >> this I would much
> >>> prefer a DNS txt check over repeatedly trying to send a 
> >> bounce. And they
> >>> would be miles ahead because they would have never wasted 
> >> time taking the
> >>> mail. 
> >>>
> >>> I guess nothing works if you don't use it.
> >>>
> >> SPF is only a poor method of anti-spam tool. As a tool to 
> >> control bounces, it
> >> seems to be much better. Another problem with it is many of 
> >> the server records
> >> are set to softfail (~),pass (+), or neutral (?), instead of 
> >> fail(-) . Even
> >> the spf wizard that many people used seems to either set 
> >> softfail or neutral,
> >> and unless you dig in the docs, you wouldn't know any better.
> >>
> > 
> > 
> > I agree, especially since many spammers are publishing SPF 
> records now. But
> > if one just checks and denies outright a hard fail that 
> could help quite a
> > bit. Sites that help you build your records should 
> absolutely make it clear
> > once your setup is tested it should go to -fail. I score 
> ~fail quite high
> > because that is basically a lazy admin. "We are stating the 
> preceding hosts
> > are our only authorized MTAs, but go ahead and accept from 
> everyone else too
> > just in case we haven't done our job". SPF won't stop spam 
> for sure, but if
> > everyone used proper records with a hard fail it could go a 
> long way in
> > eliminating joe-jobs, and forgeries, so why not use it? 
> Same with domain
> > keys, not *the* answer but certainly *A* tool
> 
> Why not use it? It's usable only if you understand it, and it can be 
> 'inconvenient' for customers to have to send through a 
> defined list of 
> outgoing servers.
> 
> ISPs, web hosts, a large number of mail server admins (myself 
> included), 
> cannot set hard fail for most small business domains. 
> Customers expect 
> email to _work_, and they send from a number of locations 
> using a number 
> of systems (work, home, library, college, etc). Setting hard 
> fail will 
> only generate calls to your support desk unless customers 
> understand the 
> implications.
> 
> Wouldn't it be great if customers read about SPF on the 
> support section 
> of your web site, and were thrilled about it? Reality check... Most 
> customers do not care about SPF, and have no interest in 
> learning about 
> it unless it can benefit them in some immediate way - if 
> their domain is 
> being actively spoofed, for example. In practice, this rarely happens.
> 
> Ken
> 
> > 

I guess I am doing it wrong then. Our people send from work, home, hotels,
etc and nothing that gets sent from one of our addresses passes through any
server not listed in our SPF records. People occasionally use poorly written
web interfaces that attempt to send email from their (our users's) address
but from their (host's) own server and those will be rejected by any SPF
enabled MTA. Good... If a email comes from your web form it should be from
your domain not mine.

Of course as a rule our corporate servers do not do web hosting, as a rule.
I do, in fact, have one that hosts for some orgs that our owner is involved
in and all the DNS and SPF records are reflective of that. Those people are
fully aware that any outbound mails for their domains must be sent through
the appropriate host or risk it being rejected by the recipient's MTA. It's
a rule, not a recommendation and you have to have those now and then. We
also require authentication from our corporate users regardless of where
they are sending from (except from one of our webmail services). They are
given written instructions as to how to do that with outlook, outlook
express, and thunderbird. If they have a problem they call, part of the job.

I do not explain domain keys, spf, or any other part of how their mails get
from their fingers to the recipient, they wouldn't care anyway. I do explain
the rules and expect them to be followed, even by the person who signs my
pay check every month.

If I were an ISP I would be just as tight. If comcast, Verizon, etc enforced
their AUPs our world would be a bit easier. Pretty hard to send spam or
perform dictionary attacks from a bot if it can't make port 25, 110, 143
connections outside of the ISPs authorized servers. Of course there would be
work involved with maintaining the proper listings, entries reflecting your
topology but I would hazard a lot less than there is now trying to keep the
bad stuff out of everyone's systems

I think one of the basic reason's that malicious mail traffic has never
really been addressed is because there are a lot of people out there that
seem to get a visceral thrill out of being "spam ninjas". Not me, better
things to do.

Just my opinion

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.