Massive spam run this weekend

Brian K. White brian at aljex.com
Tue May 27 13:38:42 PDT 2008 

SPF records are not the answer they promise to be.

I beleive I have a situation where I'm not doing anything wrong or that should be considered wrong, and which works fine according to the normal email system pre-spf, and which spf either does not allow for, or which would require an unacceptable new maintenance burden to maintain if it is possible somehow within the spf framework.

So, I have to have no spf records at all because the spf spec says that in the absence of any spf record then the action to take is to accept the mail. I have run into a few recipient hosts that are violating this part of the spf spec so really I can't win 100% no matter what I do.

What I'm doing is:

In my application I allow the user to fill in a return email address for themselves, and for their company, and a few other places for special purposes (accounting, dispatch, etc.. various tasks and positions common to all my customers as they are all in th same or very similar business)

The end user may enter and update these addresses at their own convenience any time.

Various places in the app send emails directly and forge the from/reply-to/errors-to/etc.. with these adresses.

The individual application servers do not receive email at all because:
a) I have no need for them to
b) Given a), the simplest and surest way to ensure I never relay is just never accept email at all.
My app may appear to be spamming now and then according to a poorly written spam filter here & there, but they will always be wrong and there is no help for that except to explain each time it happens to the people doing the blocking. At least I can safely know I am never relaying.

The app is running on on one of an open-ended number of identical physical servers, located in one of an open ended number of physical locations and net connections. And any number of users from any number of different companies may be hosted on a given server, but there is no virtual domain set up on these servers like a typical web host. The customers all have their own email domain already hosted somewhere else, or many times they don't even have ay email on their own domain (foo at yahoo.com etc..)

So, a given box, say, nc7.aljex.com may host 10 different companies today. So that box today sends out emails "from" foo at aaa.com, foo at bbb.com, foo at gmail.com etc... The mails are really from root or filepro at nc7.aljex.com but those are the least useful or correct for any reply-to or errors-to, since nc7 and all the rest do not receive email at all.

I don't own aaa.com, certainly not gmail.com! And so I can't create an spf record in aaa.com that says it's ok for nc7.aljex.com to send email for aaa.com. And even if I could, or if I had the cell phone number of the guy who actually knows aaa.com's domain registrar account & password and can update dns records for aaa.com... (I almost never know that btw, and usually neither does the customer without spending a day trying to dig up old paperwork and calling several likely suspects), but even if I myself was managing aaa.com's domain, I may move company aaa to or2.aljex.com tomorrow, and then to fl1.aljex.com the next day.
It's completely impractical to do all those updates even if they were possible, and it's also unacceptable to use a globbing rule (if they are even possible in spf) like allow *.aljex.com because several *.aljex.com, not least of which are www. and mail. .aljex.com are hosted by third parties who also host lots of other companies I have nothing to do with and can't vouch for. Spam could very easily start spewing out of the physical machine that www.aljex.com or mail.aljex.com lives on, from one of site-one.net's thousands of other customers, or virtdom.com's thousands of customers. Or one of my own boxes could get hacked. 

Since I see no reason why what I'm doing right now should be considered wrong (I'm neither spamming nor relaying, and the forged reply-to's point back to the best people to actually respond to any delivery problems.), I insist on continuing to do it (sending emails from application servers on bahalf of and with rely-to pointing back to, my end users). Since spf does not offer any way to provide for that, the only way I can operate is to have no spf records at all.

-- 
Brian K. White    brian at aljex.com    http://www.myspace.com/KEYofR
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro  BBx    Linux  SCO  FreeBSD    #callahans  Satriani  Filk!

----- Original Message ----- 
From: "Walter Vaughan" <wvaughan at steelerubber.com>
To: "filePro" <filepro-list at lists.celestial.com>
Sent: Tuesday, May 27, 2008 11:27 AM
Subject: Re: Massive spam run this weekend


> Kenneth Brody wrote:
> 
>>There was a massive spam run this weekend with my e-mail address forged as
>>the "from" address.  As such, I ended up with nearly 2000 (!) bounces in
>>my inbox that made it through my spam filters.  (I haven't yet checked my
>>filters for how many more were caught.)
>>  
>>
> Does bestweb.net not have SPF records in place?
> http://en.wikipedia.org/wiki/Sender_Policy_Framework
> 
> We didn't and I had same problem month ago.
> 
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> http://mailman.celestial.com/mailman/listinfo/filepro-list
> 
> 
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG. 
> Version: 7.5.524 / Virus Database: 269.24.1/1469 - Release Date: 5/27/2008 1:25 PM
> 
>

More information about the Filepro-list mailing list