Watermarking and spoofed sender address

Kevin Miller Kevin_Miller at ci.juneau.ak.us
Thu Mar 21 00:12:17 GMT 2013 

Sounds good.  The thing about SPF is it validates where a message is *from*, not to.  Basically, you tell it (in DNS) which servers are authorized to send mail as SOMEONE at cnm.edu<mailto:SOMEONE at cnm.edu>.  It's not so much a filter for inbound mail as it is a way for mail servers to determine whether mail actually came from your server or not.  The effect of that however is that you can filter on mail coming in because you can verify the source.  If it came from one the hosts you've authorized, it's valid, at least as far as SPF is concerned.  And if I receive a message that claims to be from you, I can also validate the source.

Linux Journal had a couple of good articles on it about 6 or 7 years ago. You might hit their web site and see if they're still available.  They're worth the read...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Robert Lopez
Sent: Wednesday, March 20, 2013 2:22 PM
To: MailScanner discussion
Subject: Re: Watermarking and spoofed sender address


Kevin,
You have pointed to several things I need to look into.  All our senders send and receive as someone at cnm.edu<mailto:someone at cnm.edu>.  The email gateways forward all email to anyone who is a students on to gmail.
No there is no specific SPF milter on inbound server. Yes MailScanner is accepting mail from the outside for all users.
I will contact the SPF mailing list. Thanks.

On Wed, Mar 20, 2013 at 12:48 PM, Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
It's not clear to me how you're sending/receiving mail.  Do users send/receive as someone at gmail.com<mailto:someone at gmail.com> or someone at cnm.edu<mailto:someone at cnm.edu>?

Also, you have SPF set to softfail. That will flag a message as a fail, but doesn't actually deny it.  Are you running an SPF milter on your inbound server?  I presume that you have a MailScanner host that is accepting mail from the outside for your users.

There's an SPF mailing list, similar to this list.  Probably best to jump onto it.  There's some sharp guys over there...

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242<tel:%28907%29%20586-0242>, Fax: (907) 586-4500<tel:%28907%29%20586-4500>
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Robert Lopez
Sent: Wednesday, March 20, 2013 9:28 AM
To: MailScanner discussion
Subject: Re: Watermarking and spoofed sender address

Kevin,
If we do use SPF could there be something in the way we use it that it does not help?  We added it as part of our out soucing student email.

>From http://www.kitterman.com/getspf2.py as of Wed Mar 20 2013:
"
SPF record lookup and validation for: cnm.edu<http://cnm.edu>
SPF records are primarily published in DNS as TXT records.

The TXT records found for your domain are:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

SPF records should also be published in DNS as type SPF records.

Type SPF records found for the domain are:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

Checking to see if there is a valid SPF record.

Results - Record may be valid, but ambiguous: v=spf1 records of both type TXT and SPF (type 99) present, but not identical

Found v=spf1 record for cnm.edu<http://cnm.edu>:
v=spf1 include:_spf.google.com<http://spf.google.com> mx ~all

evaluating...
SPF record passed validation test with pySPF (Python SPF library)!
"

On Wed, Mar 20, 2013 at 10:20 AM, Kevin Miller <Kevin_Miller at ci.juneau.ak.us<mailto:Kevin_Miller at ci.juneau.ak.us>> wrote:
For what you're trying to do, SPF is a better option.

 ...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242<tel:%28907%29%20586-0242>, Fax: (907) 586-4500<tel:%28907%29%20586-4500>
Registered Linux User No: 307357
From: mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info> [mailto:mailscanner-bounces at lists.mailscanner.info<mailto:mailscanner-bounces at lists.mailscanner.info>] On Behalf Of Robert Lopez
Sent: Tuesday, March 19, 2013 3:58 PM
To: MailScanner discussion
Subject: Watermarking and spoofed sender address

I understand watermarking is to defend against "joe job blowback". I think I understand that blowback problem is when email is sent, using for example my address, to many other domains and all the flack (blow back) comes back to me.
I am wondering if this watermarking is of any use in a type of SPAM we now frequently see. It is where email is sent to a list of addresses, all at our domain, and the from address is also the first address in the address list. Everyone else thinks the first person sent it. Our gateways send such email to Exchange and any communication back to the sender is entirely within Exchange and never comes back through the gateways again.

In this kind of SPAM I have always considered it of no use. Am I wrong in my thinking?

--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106

--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!



--
Robert Lopez
Unix Systems Administrator
Central New Mexico Community College (CNM)
525 Buena Vista SE
Albuquerque, New Mexico 87106
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20130320/b49d04df/attachment.html

More information about the MailScanner mailing list