Message Board

Donating MX Entries

SPF information

Author: J.Simpson (23 Nov 04 3:34am)

one potential issue i can see is if a spammer gets a honeypot address into their list and their spam-sending program chooses random email addresses to forge "From" addresses on their spewage, anybody who tries to send a bounce message back to the forged address will be identifying themselves as a spam harvester.

this is something which the projecthoneypot.org mail servers will need to identify and, for bounces and out-of-office autoreply messages, NOT treat the messages as honeypot hits. having gone through this recently with my own "delete.net" honeypot (handled on my own, not through projecthoneypot.org- the delete.net web site explains it.) i have had to deal with this, and until about a month ago i had to manually inspect the messages before they were reported to spamcop. i will be emailing the developers directly with some information about how to recognize bounces and autoreplies automatically (hint: RFC 1891 and RFC 3834.)

another tool i use in fighting spam is SPF. the idea is that i serve a DNS record which lists all of the IP addresses which are allowed to send email claiming to be "From" a given domain name.

for example, i send all of my outgoing mail through my own server. the SPF record for my email address's domain name contains my server's IP addresses, along with an instruction which says "and no others".

if another server receives a message claiming to be from my domain, it can check the SPF record for my domain and see the full list of IP addresses which are okay... if the message didn't come from my server, the message is forged and may be deleted.

SPF isn't perfect- there are some cases (mailing lists, webmail form submissions, remailers, etc.) where a legitimate message may arrive from a different IP which is not on the list, and be blocked by mistake... but these kinks are being worked out and i'm fairly sure that it won't be an issue for too much longer.

in the meantime, if all you want to do is serve an empty list (i.e. "there are no IP addresses which are allowed to send mail claiming to be from this domain") then these issues are not problems.

if you'd like to serve such a record for the domain whose MX record you are donating to project honeypot, here's what it needs to look like...

(for djbdns)
'domain.name:v=spf1 -all:3600

(for BIND)
domain.name. IN TXT "v=spf1 -all"

SPF record - valid mail source

Author: K.Prince (15 Jan 05 1:51pm)

I came here looking for info on SPF, and here it is

I was also worried about the spoofing of my donated subdomains, as the domain owner and contact, and already protect all my A and MX records with SPF records, whether or not they are mail domains

However for the purpose of this exercise, there is a possibility that a clever spammer may test the SPF record, and note that it is not an active email domain if it has the "v=spf1 -all" record associated, which looks suspicious.

I have decided therefore to use a different SPF record, "v=spf1 mx -all", which designates the target of the MX record(s) as the only valid source mailserver. Whilst this is adequate, and looks good from mister spammers perspective, it would mean I trust the honeypot project no to abuse my domain.

I could put a different record that points to my own servers as the only trusted ones, but since I trust the honeypot project enough to donate mx records within my domains, this isn't a problem to me, so "v=spf1 mx -all" it is then

Re: SPF information

Author: M.Prince (15 Jan 05 4:28pm)

Thanks. We've struggled with the right setting to tell our users to use for their SPF records. I had the same concern as you: that spammers could test the SPFs. I like your solution. We'll knock it around and maybe add it to the FAQ and DNS Instructions pages.

Thanks for the great suggestion!