March 29, 2007

SPF Records for AntiSpam Efforts

Filed under: DNS,Mail,Technology — Cory @ 1:11 am

A few days ago my server got joe-jobbed on a domain that I registered and never used. When it started happening I just changed the MX record for the domain to point to localhost.standblue.net, which is an A record pointing to 127.0.0.1. After doing this I noticed the bounces slowed down as the MTA’s tried to connect to themselves, rather than to my server. At that time I also added SPF records to all the domains that I host on my server.

So tonight I figured it was time to configure my mail server to look at SPF records. While searching around for a SPF implementation that seemed reasonable (ie, not written in Perl), I found python-postfix-policyd-spf, which is written in Python (although the code is not Pythonic at all).

After installing the PyDNS and PySPF module dependencies, I installed python-postfix-policyd-spf by running ‘python setup.py install‘ and then things were ready to be configured.

The next step was to configure Postfix, which was actually very easy. I added the following line to my /etc/postfix/master.cf file:

spfpolicy unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/bin/python /usr/bin/policyd-spf

And the following to /etc/postfix/main.cf:

smtpd_recipient_restrictions =  permit_mynetworks,
                                permit_sasl_authenticated,
                                check_client_access hash:/etc/postfix/pop-before-smtp-relays,
                                check_recipient_maps,
                                reject_unauth_destination,
                                check_recipient_access hash:/etc/postfix/badmailto,
                                check_policy_service inet:127.0.0.1:60000,
                                check_policy_service unix:private/spfpolicy,
                                permit
spfpolicy_time_limit = 3600

Be sure to add the check_policy_service unix:private/spfpolicy line after the reject_unauth_destination line, otherwise you’ll be an open-relay.

Run ‘postfix reload‘ to get Postfix to acknowledge the changes, and that’s it.

After setting this up and watching the logs for a while tonight, I noticed a few things.

First, there are a lot more domains using SPF than I thought. I know it’s been out for a few years now, but apparently it has really taken off. The only shame is that most of the domains that have SPF records seem to still be using the ~all code, which basically makes it pointless.

The second thing I noticed tonight isn’t quite as shocking: spammers are really careless and dumb. The first two messages that were rejected via SPF were because the spammer actually set up SPF records for their spamming domains, but they screwed it up. The log messages for those two are below:

Mar 29 01:07:05 silver policyd-spf[9260]: SPF fail - not authorized:QUEUEID=; 
       identity=mailfrom; client-ip=65.254.160.36; helo=mail.meckcom.net;
       envelope-from=colonproblems@jermaynepaganochristianism.com; 
       receiver=victim@example.com; 
Mar 29 01:19:00 silver policyd-spf[9508]: SPF fail - not authorized:QUEUEID=; 
       identity=mailfrom; client-ip=65.254.160.36; helo=mail.meckcom.net; 
       envelope-from=mortgagenewsfromlowermybills@trythetips.com; 
       receiver=victim@example.com; 

Investigating the first one, I found this:

jermaynepaganochristianism.com. 600 IN  TXT     "v=spf1 a mx ip4:38.98.2.0/24 -all"

So the spammer who bought jermaynepaganochristianism.com (which was registered earlier this month) decided to set up a record specifying which hosts could send mail for that domain, and then send the spam through a different server. Brilliant!

Here is another interesting one:

Mar 29 00:58:21 silver policyd-spf[9071]: 
       SPF Permanent Error: Invalid IP4 address: ip4:72.11.154.128/25-all:
       QUEUEID=; identity=mailfrom; client-ip=72.11.154.232; helo=mail.anbermedia.com; 
       envelope-from=smtp@anbermedia.com; receiver=victim@example.com; 

In this case the spammer who bought anbermedia.com (which was registered today) set up a SPF record, but screwed it up by not placing a space between /25 and -all, thereby making it an invalid record and causing mail to be rejected. Sweet!

In the 2 hours I have had SPF in place, its blocked 10 messages or so. That isn’t a huge amount, but my server doesn’t move a tremendous amount of mail, especially around midnight. It will be interesting to see how well this works when the server is busy.

Next I plan to try out DomainKeys and see if that helps any.

• • •

March 5, 2007

New Domain Aliases

Filed under: DNS,Technology — Cory @ 11:04 pm

I have been blogging at this address for almost two years now, and people still seem to have a hard time remembering the website address (although, this wouldn’t be a problem if everyone got with the times and read the web via RSS).

So, to make it easier for people to find this site I have registered a few other domains and pointed them here. Now you can get to this blog from antsonthemelon.com, corywright.net, or corywright.org.

I actually bought corywright.com back around 1999 or 2000, but unfortunately I let it lapse and now some wannabe fake Cory Wright owns it. Lamo.

• • •

March 2, 2007

Oldest Domains on the Internet

Filed under: DNS — Cory @ 1:12 am

As my geek friends know, I love DNS, so I found this list of the 100 oldest domains on the Internet pretty fascinating.

All the big names are on there, except Microsoft. It’s hard to believe that some domains have been registered for 22 years. No wonder all the good ones are taken.

• • •

March 7, 2006

The Domain Name System and Me

Filed under: DNS,Technology — Cory @ 1:18 am

While researching the answer to a question that a coworker posed today I came across Wikipedia‘s page on the Domain Name System. I have to say, that is an incredibly thorough description of DNS. Normally pages describing DNS are so full of BINDisms that its hard to seperate the protocol from the application. Wikipedia also has a page for comparisons of DNS server software.

I think most people feel that DNS is pretty boring, but for some reason I have always really loved working with it. I got my first real experience working with DNS after college when I worked at Spire Network Services in New Orleans. That’s where I met my friend Mike who later introduced me to djbdns, which is when I really became fascinated with DNS.

For years I read and participated in DJB’s DNS mailing list where I learned a tremendous amount the DNS protocol and DNS software. Perhaps my favorite message from that list was when Matt Simerson (DNS admin at Interland) detailed their migration from BIND to djbdns. I also think it is pretty awesome that EveryDNS uses djbdns.

Fortunately my love of DNS is not wasted, as I get to spend 8+ hours a day dealing with nothing but the Domain Name System. I know this would bore some people to tears, but not me. :)

• • •
Powered by: WordPress • Template by: Priss