Comments on: Validating the sender domain (Keeping spam out of the network #2) http://blogs.mcafee.com/mcafee-labs/validating-the-sender-domain-keeping-spam-out-of-the-network-2 Fri, 18 May 2012 09:34:59 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Devon Shimer http://blogs.mcafee.com/mcafee-labs/validating-the-sender-domain-keeping-spam-out-of-the-network-2/comment-page-1#comment-9165 Devon Shimer Wed, 02 Jun 2010 21:06:43 +0000 http://www.labs.com/research/blog/?p=241#comment-9165 great advice and sharing,I will buy one this fantastic pants for me .thanks great advice and sharing,I will buy one this fantastic pants for me .thanks

]]> By: jimiques http://blogs.mcafee.com/mcafee-labs/validating-the-sender-domain-keeping-spam-out-of-the-network-2/comment-page-1#comment-9164 jimiques Mon, 09 Mar 2009 16:52:49 +0000 http://www.labs.com/research/blog/?p=241#comment-9164 If you run dig -t TXT _spf.google.com you will get "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all" Should we forbid mail from google? I believe it will cut off half of the world from your organization If you run dig -t TXT _spf.google.com you will get “v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all”
Should we forbid mail from google? I believe it will cut off half of the world from your organization

]]> By: Douglas Otis http://blogs.mcafee.com/mcafee-labs/validating-the-sender-domain-keeping-spam-out-of-the-network-2/comment-page-1#comment-9163 Douglas Otis Tue, 17 Apr 2007 18:20:52 +0000 http://www.labs.com/research/blog/?p=241#comment-9163 The assertion that "+all" indicates intent to spam is not correct. Such a record may also mean this record is ONLY intended for use with static white-lists, and to ensure forwarded email is not inadvertently lost. It seems not everyone respects the intent of various SPF results. : ( bell.ca would be one example of this. The assertion that “+all” indicates intent to spam is not correct. Such a record may also mean this record is ONLY intended for use with static white-lists, and to ensure forwarded email is not inadvertently lost. It seems not everyone respects the intent of various SPF results. : (

bell.ca would be one example of this.

]]> By: Douglas Otis http://blogs.mcafee.com/mcafee-labs/validating-the-sender-domain-keeping-spam-out-of-the-network-2/comment-page-1#comment-9162 Douglas Otis Tue, 17 Apr 2007 16:55:51 +0000 http://www.labs.com/research/blog/?p=241#comment-9162 Requesting that recipients check SPF records overlooks the sizable and very real hazard created by SPF as a DDoS exploit. _ALL_ the malicious SPF traffic generated by bad actors can be done without expending any of their resources. The bad actor would only need to utilize the local-part of some email address to randomize all subsequent queries without their base SPF record being re-read. SPF expects as many as 11 subsequent SPF records to be read, which might be wildcard records now given local-part sub-domains! SPF also expects as many as 100 A, or AAAA records to be queried before quitting. This alone exceeds the amplification of all other DNS DDoS related exploits! The bad actor can simply conclude their records with "+all" where their email then receives flying colors. Requesting that recipients check SPF records overlooks the sizable and very real hazard created by SPF as a DDoS exploit. _ALL_ the malicious SPF traffic generated by bad actors can be done without expending any of their resources. The bad actor would only need to utilize the local-part of some email address to randomize all subsequent queries without their base SPF record being re-read.

SPF expects as many as 11 subsequent SPF records to be read, which might be wildcard records now given local-part sub-domains! SPF also expects as many as 100 A, or AAAA records to be queried before quitting. This alone exceeds the amplification of all other DNS DDoS related exploits! The bad actor can simply conclude their records with “+all” where their email then receives flying colors.

]]> By: Fergie http://blogs.mcafee.com/mcafee-labs/validating-the-sender-domain-keeping-spam-out-of-the-network-2/comment-page-1#comment-9161 Fergie Tue, 17 Apr 2007 09:47:55 +0000 http://www.labs.com/research/blog/?p=241#comment-9161 SPF can be dangerous. DKIM is a much better, simple solution. - ferg SPF can be dangerous. DKIM is a much better, simple solution.

- ferg

]]>