About Me

Archive

Archive

Read More

Blogs

Feeds & Podcasts

Meet the Bloggers

Archive

Tags

#McAfeeFOCUS, #MFETrivia, #SecChat, #SecurityLegos, $1 million guarantee, 3DS, 3G, 12 Scams of Christmas, 99 things, 419 scam, 2011 Threats Predictions, 2012, 2012 London Olympics, 2012 Security Predictions, 2012 Virtual Sales Kickoff, Abbreviation, access to live fraud resolution agents, Account Takeover Scams, Accredited Channel Engineer, ACE, ACE certification partner, Acquisition, addiction, Adobe, adult online content, advance-fee fraud, Advanced Persistent Threat, advanced persistent threats, adware, AET, affiliate marketing schemes, Alex Merton-McCann, Alex Thurber, AMTSO, analysis, Android, Android/FakeToken, Android/FakeUpdates, Android/NickiSpy, android antivirus, Android Bot analysis, Android Dropper, Android Exploit, Android Malware, Android Malware Analysis, Android Market, Android Mobile Malware, Android Rooting Exploit, Android security, android security app, Android SMS broadcast, animation, Annual Partner Survey, Anonymous, Anonymous Group, anti-malware, anti-phishing, anti-spam, anti-spyware, anti-theft, anti-virus, anti-virus program pops up, Antievasion, antivirus, Antivirus software, APIs, App Alert, Apple, application blacklisting, application developers, applications, application security, app protection, apps, app safety, app security, APT, Arun Sabapathy, ASIC, ATM scams, ATM skimming, attack, attacks, Australia, authentication, automobile, automotive, AutoRun malware, AV-TEST.org, award, awards, Backdoor, Back To School, Bad Apps, balanced scorecard, bank accounts, bank fraud, banking, banking fraud, Belarus, Bernie Madoff, best practices, beyond the PC, Big Data, big security data, bill collectors call for nonpayment, Bin Laden Scams, Biological Computer, Bitcoin, BlackBerry, Blackhat, Black Hat, black hat hackers, blue screen, Bluetooth, book, bot, botnet, botnets, bots, Brazil, breach, Brent Sanders, bueno, buffer overflow, Business IT, C-SAVE program, Cameron Diaz, canada online scams, CanSecWest, car hacking, case study, celebrities, certification, chain mails, Change Control, channel partner, Channel Partners, Channel Partner Town Hall, Channel Program, Channels Town Hall, Charity Phishing Scams, child identity theft, children online safety, children safety online, child safety, Chile, China, chris barton, christmas, Christmas scams, christmas shopping, Christmas shopping concerns, Christmas shopping crimes, chromebook, CIO Insomnia Project, CISO Executive Summit, Citrix, Civil War, class action lawsuit, clickjacking, cloud, cloud apps, Cloud city, Cloud computing, Cloud Expo, cloud security, Cofer Black, collaboration, college students, Commercial/SMB, Commercial and Enterprise Deal Registration, Compliance, computer, computer issues, computers, computer security, computer support, conference, Conficker, consolidation, Consumer, consumerization, consumerization of IT, consumer threat alert, consumer threats, Consumer Threats Alert, Content Protection, Continuing Education, cookies, Corporate Responsibility, counter identity theft, creating safe passwords, creating strong passwords, credit card fraud, credit card fraud and protection, credit card skimming, credit card thefts, credit fraud alerts, credit monitoring, credit monitoring and resolution, credit scores, crimeware, critical infrastructure, cross-site scripting, CSP, currency, customer service, CVE-2012-0158, Cyber, cyber addiction, cyber attack, cyberattacks, cyberbullying, cyber bullying, cybercrime, Cybercrime, cybercriminal, cyber criminals, cybercriminals, cybercrooks, cyberespionage, cyber ethics, Cyber Insurance, Cyber Intelligence Sharing and Protection Act of 2011, cybermom, Cyber Monday shopping, cybermum, cyber mum, Cybermum India, Cyber risks, cybersafe, cybersafety, cyber safety for women, Cyber savvy mom, cyber scams, cyberscams and identity theft, cyber security, cybersecurity, cyber security awareness, cybersecurity concerns, cybersecurity mom, Cyber Security Mom, cybersquatter, cybersquatting, cyberterrorists, cyber threat, cyberthreats, cyberwar, dangerous searches, Darkshell, data, Database, database activity monitoring, database security, data breach, data breaches, Datacenter, data center, data center security, Data Classification, data loss, Data Loss Prevention, Data Protection, Data Protection Act, dating scams, Dave DeWalt, Dave Marcus, David Small, DDoS, Deal Registration, decade of cybercrime, deceptive online promotions, dedicated security appliances, Deep Command, DeepDefender, Deep Defender, Deepika Padukone, DeepSAFE, DefCon, DefCon Kids, denial of service, denied credit, Department of Commerce, device, Device Control, devices, dewalt, digital assets, digital assets worth, Digital Certificates, digital devices, digital gadgets, digital music and movie report, distributed denial of service, DLP, Dmitri Alperovitch, DoS, DougaLeaker, download, downloader, downloaders, drivers license, drivers license identity theft, dumpster diving, Duqu, e-card scams, e-gold, e-mail id, earnings, easter, Easter scam, eBay, ecards, ecard spam, eCommerce, Ecuador, education, Eelectric Vehicle, EFF, election, email, Email & Web Security, Email & Web Security, email accounts, Email Protection, email scam, email scams, email security, email spoofing, embedded, embedded devices, Embedded Security, EMEA, Emerging Markets, Emerging Market Security, EMM, employment fraud, Employment Identity Theft Scams, encryption, Endpoint Protection, Endpoint Security, Endpoint security suite upgrade, Enhanced Deal Registration, enterprise, enterprise mobility, enterprise resource planning, enterprise scurity, enterprise security, epayment, epo, ePO Deep Command, ePO DeepCommand, ePolicy Orchestrator, Epsilon, epsilon security breach, ERP, ESM, espionage, etiquette, EV, Exif, exploit, Exploit for Android, exploiting real brand names, exploits, facebook, Facebook Security, Facebook spam, Facial recongnition, fake-av, fake alert, fake ant, fake anti-virus software, Fake AntiVirus, fake anti virus, Fake Anti Virus Scams, fake emails, Fake Identity, fake software, fake system tool programs, fake updates, fake websites, false, families online, family, family identity safety, family online safety, family protection, Family Safety, Farmville, FBI, FDCC, fictitious identity theft, FIFA, file sharing, financial scams, Financial Security, Firesheep, firewall, FISMA, Fixed Function Devices, Flash, flashback, Focus, Focus11, FOCUS 2011, forrester, forwards, Foundstone, France, France Law, fraud, fraud resolution, fraud resolution agent assistance, fraudulent credit card or bank charges, free, freely downloadable morphing tool, free money scam, free money scams, free WiFi spots, french, French Law, Friday Security Highlights, FTC, games, gaming, gaming consoles, Garter, Gartner, Gartner Security and Risk Management Summit, Gavin Struthers, Gaza, George Kurtz, geotag, gift cards and iPad promotions online, gift online shopping, gift scams, Global Cybersecurity, Global Payments, Global Risk 2012 report, Global SecurityAlliance Partner Summit, global threat intelligence, gmail, gold software support, good parenting, google, google code, Google Play, government, GPS, gratis, GSM, GTI, hacker, Hackers, hackers steal credit card numbers and sensitive personal data, hacking, Hacking Exposed, Hacktivism, Hacktivity, harassment, HB1140, Healthcare, heidi klum, Here you have worm, Heuristics, Hi5, HIPAA, Hispanic, hoax, hoax - slayer, holiday gifts, holiday malware, Holidays, holiday scams, holiday screensavers, holiday shopping, holiday shopping fraud, holiday websites, home network issues, host intrusion prevention, Host IPS, household devices, how to set up wi fi, how to talk to kids, how to talk to teens, HV, Hybrid Vehicle, ICS, IDC, identify potential cyber-threats, identify spam, identity exposure, identity fraud, identity fraud scams, identity protection, identity protection $1 million guarantee, identity protection alerts, identity protection fraud, identity protection surveillance, identity surveillance, identity theft, identity theft celebrities, identity theft expert, identity theft fraud, identity theft protection, identity theft protection identity protection fraud, identity theft protection product, identity theft resolution, identity theft ring, identity theft risk, identity theft scams, identity theft tax scams, Identity thieves and cybercriminals, identity threat protection, IDF 2011, ID theft, iframe, IIM Bengaluru suicide case, illegal immigrants, impersonation, in.cgi, Incident Response, Incumbency Advantage Program, India, India cybermum, Indian kids, Indonesia, industrial control systems, infected mobile apps, information collected by advertisers or social media marketing, Information leak, Information Protection, Information Security, Information Warfare, Infrastructure, Initiative to Fight Cybercrime, innovation, insiders, Insider Threats, integration, Integrity, Integrity Control, intel, intellectual property, internet addiction, internet connected devices, Internet Explorer, Internet filtering, internet identity trading surveillance, Internet monitoring, Internet Phishing Scams, internet privacy, Internet Safety, internet security, internet security tips, internet time limits, Interop, in the cloud, IntruShield, intrusion prevention, In vehicle Infotainment, investment scams, iOS, IP, iPad, iPad scams, iphone, IPS, IPv6, IRCBOT for android, IRS, IRS scams, I Series, IT, IT as a Service, itouch, IT Security, IT Security market, Japan, japan earthquake malware, japan earthquake safe donation, japan earthquake scams, japan tsunami scams, java, JavaScript, job applications, Joe Sexton, John Bernard Campbell, julian Assange, kama sutra koobface, Katrina Kaif, keep family PC safe, Kernel 0day vulnerability, keycatchers, keyloggers, kids, kids online behavior, kids online safety, kids safety, king county, koobface, kurtz, labs, laptops, Larry Ponemon, LART, Late Payment Scam, law, law enforcement, LCEN, legal, legal identifier, legal risk, linkedin, Linux, Linux/Exploit:Looter Analysis, Linux and Windows, live-tweeting, live access to fraud resolution agents, lizamoon, Lloyds, Location services, Lockheed Martin, logging out of accounts, login details, LOIC, Looter Analysis, Lori Drew, loss of gadgets, lost, lost or stolen driver’s license credit cards debit card store cards, lost or stolen Social Security card or Social Security number, lost or stolen wallet, lost wallet protection, lottery, luckysploit, LulzSec, M&A, mac, mac/OSX, Mac antivirus, mac malware, Mac OSX, Mac OS X, Mac security, mac threat, mailbox raiding, Mail fraud, mail order bride spam, Malicious Android Application, malicious apps, malicious files, malicious program, Malicious QR Code, malicious sites, malicious software, malware, Malware Experience, malware forums, Malware research, malware threats, malweb, managed security services, Management, managing personal affairs online, map, mapping the mal web, maps, Marc Olesen, Mariposa, mass mailing worm, mass sql injection, mastercard, Maturity Model, mcaf.ee, McAfee, Mcafee's Who Broke the Internet, McAfee-Synovate study, mcafee all access, McAfee AntiSpyware, McAfee Antivirus Plus, McAfee Application Control, McAfee Channel, McAfee Channel Partner, McAfee Cloud Security Platform, McAfee Consumer Threat Alert, McAfee Data Loss Prevention, Mcafee DLP, McAfee Email Gateway 7.0, McAfee Employees, McAfee Enterprise Mobility Management, McAfee ePO, McAfee ePolicy Orchestrator, McAfee Facebook page, McAfee Family Protection, McAfee Family Protection for Android, McAfee Firewall Enterprise, McAfee FOCUS, McAfee FOCUS 2011, McAfee Identity Protection, mcafee identity theft protection, McAfee Initiative to Fight Cybercrime, McAfee Internet Security, McAfee Internet Security for Mac, mcafee internet security for mac; mcafee family protection for mac, McAfee Labs, McAfee Labs Q3 Threat Report, mcafee mobile, McAfee MobileSecurity, McAfee Mobile Security, McAfee MOVE AV, McAfee Network Security Platform, McAfee Network Threat Response, McAfee NSP, McAfee Partner, McAfee Partner Learning Center, McAfee Partner of the Year Award, McAfee Partner Program, McAfee Partner Summit, McAfee Policy Auditor, McAfee Q4 2011 Threat report, McAfee research, McAfee Rewards, McAfee Risk Advisor, McAfee Safe Eyes, McAfee Safe Eyes Mobile, McAfee Scan and Repair, McAfeeSECURE, McAfee SECURE, mcafee secure shopping, McAfee Security Journal, McAfee Security Management, McAfee security products, McAfee security software offer, McAfee Security Webinars, McAfee SiteAdvisor, McAfee Site advisor, mcafee spamcapella, McAfee TechMaster services, McAfee Threat Predictions, mcafee threat report, mcafee total protection, McAfee Vulnerability Manager, McAfee Vulnerability Manager for Databases, mcafee wavesecure, McAfee® Internet Security Suite, McCain, medical identify theft, Medical identity theft, medical records, michael jackson, Microsoft, Microsoft Security Bulletin, Mid-Market, Middle East, Mike Decesare, Mike Fey, MMORPG, Mobile, mobile antivirus, mobile app, mobile applications, mobile apps, mobile banking, mobile carriers, Mobile Commerce, mobile data communications, Mobile Data Protection, mobile data protocols, mobile device, mobile devices, mobile devices and security threats, mobile devices issues, mobile identity security, mobile malware, mobile phones, mobile phone spyware, mobile protection, mobile safety tips, mobile security, mobile security app, mobile security software, mobile smartphone security, mobile spam, mobiles security, mobile threats, mobile wireless internet security concerns, Moira, Moira Cronin, mom, money laundering, monitor a child’s identity, monitor credit and personal information, monitoring, Morphing, most dangerous celebrities, Mother's day, mothering, mothering advice, mothering boys, mothering Internet safety, Mother’s day spam, movies, MS12-020, M Series, msn spaces, multiple devices, multiple social security numbers, mum, Mummy blogger, myspace, MySQL, mystery shoppers, NACACS, national cybersecurity awareness month, National Cyber Security Awareness Week, national identification card, NCSA, ndr, near field communication, Netbook, netiquette, Network Evasions, Network Perimeter Security, Network Security, Network Security; Email & Web Security; Security-as-a-Service, network security server security, New teen survey, new year resolution, New York Times, next-gen IPS, Next Generation, next generation data center, Next Generation IPS, NFC, NickiSpy, Nigerian 419 Scam, nigerian scam, Night Dragon, NIST, Nitol, NitroSecurity, Nitro Security, NitroView, north america, North Korea, NotCompatible, Oak Ridge National Laboratory, obama, Occupy Wall Street, OCTO, OLE, olympics, Olympic scams, OMB, online, Online Backup, online banking, online banking safely, online book shopping, online bookstore, online child safety, online coupon scams, online credit fraud, online danger, online dangers, online dating, online e-tailers, online ethics, online fraud, online game, online games, online game spam, online gaming, online gangs, online harassment, online marketing sites, online personal data protection, online predators, online safety, online safety for kids, online safety of kids, online safety tips, online scams, online search, online security, online security education, online shopping, online shopping risks, online shopping scams, online shopping threats, online surfing, online threat, onlinethreats, online threats, online video, Open Source, operational risk, Operation Aurora, Operation Shady RAT, Optimized, Orange, organized crime, organized criminals, OS/X, oscars, outages, outlook, OWASP, P2P, PARC, parental advice, Parental control, parental controls, Partner Acceleration Resource Center, Partner Care, partners, Partner Summit, passport, password, password complexity check, passwords, password security, password stealer, Pastebin, patch, Patch Tuesday, Patmos, Paul Otellini, pay-per-install malware, Payload, payment, paypal, PC, PC Addiction, PCI, PCI Compliance, PCI DSS, PCs, pc security, PDF, pedro bueno, peer to peer, Peer to Peer file sharing, Pemberton, perception, personal identity fraud, personal identity theft, personal identity theft fraud, personal information, personal information loss, personal information over mobile phones, personal information protection, Personal information security, personal privacy, personal protection, peter king, Phantom websites, phishing, phishing kits, phishing scams, phishing shareware, pickpockets, pic sharing, piers morgan, PII, piracy, Playstation, policies, Ponemon Institute, Ponzi scam, pop ups, pornography, Postcode Lottery, posting inappropriate content, posting videos online, PostScript, potential employers, Potentially unwanted program, power grid, power loss, Pre-detection, Pre-Installed Malware, predictions, Premium SMS Trojan, president obama, Printers, privacy, Privacy Awareness Week, privacy setting, privacy settings, proactive identity protection, proactive identity surveillance, Products, promotion, Protect all devices, protect devices, protect digital assets, protection, protect teens, provide live access to fraud resolution agents, Public-Private partnerships, public policy, Public Sector, puget sound, Pune Police, pup, PWN2OWN, pws, qr code, QR codes, quarterly threat report, Ramnit, RAT, rdp, Rebecca Black, Records phone conversations, reference architecture, regulation, regulations, Renee James, reporting, reputational risk, Rep Weiner, research, resolutions, responsible mail, restore credit and personal identity, retail, RFID, ring tones, risk, Risk Advisor, risk and, Risk and Compliance, Risk Management, risk of personal information loss, risks of online shopping, risky, Riverbed, Robert Siciliano, roberts siciliano, rogue anti-virus software, rogue applications, Rogue Certificates, ROI, romance scams, Rookits, Rooting Exploit, rootkit, RootkitRemover, Rootkits, RSA, RSA 2010, RSA 2012, RTF, Russia, s, SaaS, SaaS Monthly Specialization, SaaS security solutions, safe, safe email tips, safe online shopping, safe password tips, Safe search, safe searching, Safe surf, safe surfing, safe transactions, SAIC, Saudi Arabia, Saviynt Access Manager, SCADA, scam, scammers, scams, SCAP, scareware, SchmooCon, schools, screensavers, sear, search, Search engine optimization, Search engine poisoning, SEC Guidance, SecTor, secure cloud computing, Secure Computing, secure container, secure devices, secure new devices, secure smartphone, secure wi fi, security, Security-as-a-Service, Security 101, Security and Defense Agenda, security attacks, security awareness, security breach, security breaches, security conferences, Security Connected, Security Connected Reference Architecture, Security Influence, security information and event management, security landscape, security management, security metrics, security optimization, security policy, Security Seals, security software, security threats, self-defence, sensitive data, sensitive documents, Sentrigo acquisition, seo abuse, settings, sexting, Shady RAT, SharePoint, shopping scams, shortened URLs, short url, SIA Partners, SIEM, simple safety tips, site advisor, SiteAdvisor, Situational Awareness, SlowLoris, Small Business, Smart Grid, smartphone, smartphones, smartphone safety, smartphone security, smart phone threats, SMB, SMB Advisor Tool, SMB Extravaganza, SMB Specialization, smishing, sms, SMS Lingo, sniffing tools, social business, social engineering, social media, social media online scams, social media passwords, social media threats, social network, social networking, social networking best practices, social networking scams, social networking sites, social networking sites security, social networks, social responsibility, Social Security, Social Security Card, social security number, Social Security number fraud, social security number theft, Social Security number thefts, software, Software-as-a-Service, solid state drive, Sony, South Korea, spam, spam mail, Spams, spear, Spearphishing, Spellstar, SpyEye, Spyware, sql attacks, SQL Injection, SSN fraud, st. patricks day, State of Security, stay safe from phishing, Stealth, stealth attack, stealth crimeware, stealth detection, Steve Jobs, Stinger, stolen cards, stolen mail, stolen medical card, stolen passwords, stolen Social Security number thefts, Stop.Think.Connect, storage, student loan applications, Stuxnet, subscription, Suites, summer activities, Summer holidays, summer vacation, Support, support services, surfing, suspicious messages, swine flu, Symbian, T-Mobile, Tablet, tablets, tablet security, targeted attacks, taxes, tax filing tips, taxpayer warning, Tax Preparer Scams, tax returns, tax scams, tax season reminder, TCO, teacher abuse over the internet, Tech Data, tech gifts, technical support, technology development, technology trends, teen hate video, teens, teens online dating, teens online safety, teens posting video, Telecommunications, Testing, text message, text messaging, The VARGuy, threat, threat reduction, Threats, threats on women's day, thurber, Tips, tips and tricks, tips to mobile security, TJX, Todd Gebhart, tools, Total Protrection 2012, TPM, traffic manager, travel related online scams, travel risk, travel security, trending topics, trojan, trojan banker, trojans, Trust and Safety, Trusted Computing Module, trustedsource, trusted websites and web merchants, Trustmark Security, tweens, tweet, Tweets, twitter, Twitter celebrities, Twitter online security, twitter spam; phishing; twitter scam, type in website address incorrectly, types of phishing, typing in incorrect URLs, typos, typosquatting, U.S. Cyber Challenge Camps, UAE, Ultrabook, unauthorized credit card transactions, Underground Economies, unique password, United Arab Emirates, unlimited technical support, unprotected PCs, unsecured unprotected wireless, unsecured unprotected wireless security risks, unsecured wireless, Unsecure websites, unsubscribe, UPS scam, UPS scams, urchin.js, URL hijacking, URL shortening services, USB drives, use of cookies advertising personal security, use of Social Security number (SSN) as national ID, US ESTA Fee Scam, US passport, US Visa Waiver Program scam, valentine scams, valentines day scams; romance scams; email spam, valentines day scams; romance scams; valentine threats, Vanity Fair, vbs, Vericept DLP, verify website's legitimacy, ViaForensics, video game, vinoo thomas, violent video games, Virtualization, VIrtual Machines, Virtual Sales Kickoff 2012, virus, Viruses, Virus protection, VirusScan Enterprise with ePO 8.8, visa, vista, VMworld 2011, Vontu DLP, vPro, vulnerability, vulnerability management, Vulnerability Manager, vulnerability manager for databases, waledac, WAN, water facility, water pumps hacked, water treatment facilities hacked, wave secure, web, Web 2.0, Webinar, web mobs, web protection, web searches, web security, Websense DSS, Web services, web sites, web threats, welfare fraud, wells fargo, what to do when your wallet is lost missing or stolen, white hat hackers, Whitelisting, Wi-Fi WEP WAP protection breach, wifi, Wii, wikileaks, windows, Windows 7, Windows Mobile, Wind River, work with victim restore identity, World Cup, world of warcraft, worm, Worms, wrong transaction scam emails, www.counteridentitytheft.com, Xbox, Xerox, xirtem, xmas, xss, youth, youtube, you tube videos, Zbot, Zero-Day, ZeroAccess, zeus, zombie, zombie computers, zombies, • Facebook etiquette, • Most dangerous celebrity, • Parental control
McAfee Labs :

Validating the sender domain (Keeping spam out of the network #2)

Monday, April 16, 2007 at 6:02am by Archive
Archive

Some weeks ago I read a good blog on callback verification. I totally agree with the author on this topic – it is a pathetic technique for preventing spam.

Old-timers will remember the SMTP VRFY command. For those that are not aware of this let me quote from the RFC1.

This command asks the receiver to confirm that the argument identifies a user or mailbox. If it is a user name, information is returned as specified in section 3.5.

Due to security issues – mostly spam related – this command is no longer fully support in any self-respecting mail configuration. Instead a strictly RFC-compliant MTAs will typically respond with

252 Cannot VRFY user, but will accept message and attempt delivery

Callback verification is just VRFY in different clothing. An attempt is made to verify the sender by connecting back to one of the MX hosts of the sending domain. Instead of a VRFY, a RCPT TO is sent with the senders email address to see how the MTA responds. For the same reasons as the VRFY command, RCPT TO will default to returning a 250 response more often than not. The end result is wasted bandwidth, increased SMTP response times, and the potential to be blacklisted, as too many callbacks may appear as a directory harvest attempt. In a worst case if this verification is used on a continual basis your MTA might even be blacklisted, because it could be deemed directory harvesting. We threw VRFY away a long time ago, let’s not fake it up under another schema.

All is not in vain; continuing on my theme of simple and practical techniques to keeping spam out of the network, let’s analyse the sender domain:

(1) Do a deliverability check: Does it have an MX record? If not, can it resolve back to an A-record or an AAAA-record?2. Unless you have some local routing routes that will handle the domain delivery don’t accept it. If a SERVFAIL is encountered, return a 418 code. This is not a foolproof method. Even if proper DNS records exist none of the listed servers might actually host a SMTP server. Whatever you do, DO NOT connect back in an attempt to check this!

(2) Do the SPF-check: Yes, yes, I keep hammering on about SPF, but it is a vital, even though potentially temporary, link in fighting spammers. If more people set SPF records3, we can temporarily defeat spammers at MAIL FROM. SPF is a community effort not a vendor security effort. Everyone in the community has to take part for this to work.
Now before all you anti-SPF’ers come thundering down on me, have a look at this random subset of badly-reputed domains from our Domain Reputation Database. Some of us at Avert Labs monitor the reputations of domains closely and keep quantitive data to repute behaviour of domains at any point in time. I took this sample and performed some simple DNS analysis on them, specifically looking for the following data:

  • Promiscuous SPF are SPF records that contain +all in the record. That is in total contradiction to the intent of SPF is and is a nearly carte blanche indication that this domain is purely intended to be used for spam.
  • Suspect softfail SPF records are those containing ~all. This is typically used for a transition period, but in many cases this is just to fake MTAs into believing that the sending IP is good. Although not as bad as +all, these kind of records should always be treated as suspect. Unless you have very good reason for still using ~all at this point in your own domains, it is time you switch to -all.
  • Netblocks in SPF: A number of SPF records do not fall in the above two categories, but they do contain large netblocks. I consider this to be suspicious in many cases. A /24 block indicates that a domain allows email to originate from 253 different IPv4 addresses! I have noticed that some people do this because they are on dynamic IPs and would like to send email from their own servers. But why do this and not route through the ISP? A little include section in the SPF record will solve that issue. More worrying is that this might be a botnet owner / spammer who might use a specific subnet to send spam originating from a specific domain. There are those people who put /8 in the SPF records. Humour me! How much different is that from +all?
  • Mail records: Some domains list MX records, but none of those resolve to a A/AAAA record. Others have no MX or A/AAAA records at all. These domains are not allowed to send email and an inbound MTA should not accept email from such domains.
Sample of Bad Domains Tested    42181
Promiscuous SPF                 3.24%
Suspect softfail SPF           10.55%
SPF records no +all or ~all    23.68%
SPF records netblocks /24+     13.42%
SPF records netblocks /8        0.42%
SPF good                        9.83%
Bad DNS records                11.74%
No MX resolves                  0.68%
No MX, no fallback A/AAAA      22.29%

I then took a 1h sample from just one of our traps looking for the bad domains in the MAIL FROM command5:

Sample of Bad Domains Tested       367 (0.87%)
Promiscuous SPF                   2.18%
Suspect softfail SPF             36.24%
SPF records no +all or ~all      26.70%
SPF records netblocks /24+       13.62%
SPF records netblocks /8          0.27%
SPF good                         12.81%
Bad DNS records                   0.27%
No MX resolves                    1.63%
No MX, no fallback A/AAAA         3.54%

There are two main conclusions that we may draw from this:

  • A large number of badly reputed domains – ~33.5% – had faulty mail records.6 In our mail sample we saw only 5.5% actually being used.
  • Roughly 16% of SPF records could be detected as promiscuous (if netblocks are checked as well). This means it is possible to stop a spammer that registers promiscuous SPF records and allow real, decent, SPF-qualified domains.

As a last test I checked the 1h sample again, but this time only looked at a sample of domains used in the MAIL FROM command that could be considered to be good domains and domains of unknown reputation:

Sample of Domains Tested         58930
Promiscuous SPF                   0.17%
Suspect softfail SPF              4.18%
SPF records no +all or ~all      12.46%
SPF records netblocks /24+        5.28%
SPF records netblocks /8          0.003%
SPF good                          7.18%
Bad DNS records                   0.28%
No MX resolves                    0.50%
No MX, no fallback A/AAAA         1.58%

In this case only ~7.81% had bad mail records or SPF records of a dubious nature. This could mean that these domains were badly configured or that we, at Avert Labs, simply have not analysed those domains at the time that I took my sample. Eliminating these from the sample we end up with 7.18% having good SPF records and the rest ~85% not having any SPF records. As sad as it may be, I can deduce from this that 85% of domains are getting joe-jobbed, because they have not SPF records!

The case of the null-sender

Obviously when MAIL FROM: is used, DNS queries cannot be used. This is a favourite technique with some spammers to work around the DNS checking problem. This has led to some customers even asking whether the null-sender can be balnket banned. A knee-jerk approach to such a problem is not going to solve anything. RFC44087 recommends that for such cases the EHLO/HELO string is used. A conforming MTA will send the name of the mail server (or IP address in square brackets) as part of this SMTP command string. Using EHLO strings is not a foolproof technique, but it has its merits.

Conclusion:

There are a couple of important points that can be taken away from this analysis

  • There is a small benefit top be gained in validating the sender domain.
  • Validating delivery is the first check-point at MAIL FROM.
  • SPF-checking is a second check at MAIL FROM
  • More people should create SPF-records.
  • Spammers do not create that many SPF-records for their domains. For those that do patterns are emerging which can be used as means of detection

In the future a way to get around the SPF problem for spammers is to create SPF records for their own spamming domains. Since we can easilty detect this, tyhey might to resort to more clever techniques like fast morphing DNS techniques where the ip4 entries in the SPF record changes the whole time. We can already detect that kind of behaviour as well. At this level it gets very hard for poor admin to just use off-the-shelve techniques and requires the use of a security service provider. This really brings us to the concept of applying full Domain Reputation at the point of MAIL FROM. Instead of an MTA doing all of the appropriate DNS queries for every connection, maybe it should just ask McAfee for the reputation of that domain …

1 RFC2821 Section 4.1.1.62 RFC2821 Section 5 only refers to A-records as fallbacks, but I think we can infer IPv6 support here as well.3 I cannot stress enough, that if enough people do not take up SPF, then using it as a more effective means to prevent spam entering the network will not work. A good place to start understanding SPF is reading the OpenSPF site. Be sure to read the section on common mistakes.4 Any decent examples to the contrary most welcome.5 The 0.87% might seem small, but in my analysis I did not check for any correlation between the age of the domain and the time of my 1h sample. Neither did I use the full reputation database. There is a good chance that a number of domains were not picked up in my 1h sample, due to this. That is my exercise for another day. It is more important to look at the relative percentages within 1h sample and compare them the overall percentages of the greater sample.

6 The figure applies to percentage of domains not the percentage of email. It cannot be inferred that 33.5% of email can be blocked in this way.

7 RFC4408 is experimental.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

CAPTCHA Image

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (5)

  • Devon Shimer June 2, 2010 1:06PM

    great advice and sharing,I will buy one this fantastic pants for me .thanks

    Reply
  • jimiques March 9, 2009 8:52AM

    If you run dig -t TXT _spf.google.com you will get “v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all”
    Should we forbid mail from google? I believe it will cut off half of the world from your organization

    Reply
  • Douglas Otis April 17, 2007 10:20AM

    The assertion that “+all” indicates intent to spam is not correct. Such a record may also mean this record is ONLY intended for use with static white-lists, and to ensure forwarded email is not inadvertently lost. It seems not everyone respects the intent of various SPF results. : (

    bell.ca would be one example of this.

    Reply
  • Douglas Otis April 17, 2007 8:55AM

    Requesting that recipients check SPF records overlooks the sizable and very real hazard created by SPF as a DDoS exploit. _ALL_ the malicious SPF traffic generated by bad actors can be done without expending any of their resources. The bad actor would only need to utilize the local-part of some email address to randomize all subsequent queries without their base SPF record being re-read.

    SPF expects as many as 11 subsequent SPF records to be read, which might be wildcard records now given local-part sub-domains! SPF also expects as many as 100 A, or AAAA records to be queried before quitting. This alone exceeds the amplification of all other DNS DDoS related exploits! The bad actor can simply conclude their records with “+all” where their email then receives flying colors.

    Reply
  • Fergie April 17, 2007 1:47AM

    SPF can be dangerous. DKIM is a much better, simple solution.

    - ferg

    Reply