Does SPF Make You A Target?
Posted on September 25, 2007
Filed Under email | Leave a Comment
Just about everybody with an email account knows what a pain in the backside spam can be when it sidles past the filters and splats in your inbox. For those of us with our own domains though it can cause problems far beyond wasting the time it takes to delete.
There are of course some defensive measures you can take to both avoid having your domain forged in the From address of spam and to make sure more of your own, legitimate, email does not get caught up in filters as spam. While I haven’t gone as far as this yet I have implemented SPF records on my domains. Now though, I’m wondering whether doing so has made me a target!
I consider my email important enough to use an external, paid for service for it. I am on the whole quite satisfied with the spam protection I get from this service. I have it set up to use several of the better run black lists and to check a number of other technical issues (it would appear many mass mailing tool authors are not particularly au fait with the smtp specifications). I get mayber 2-3 spam a week in my inbox that are easy enough to recognise and delete without having to open them. In contrast, currently my mail server is refusing to even accept several hundred mail deliveries a day.
However, one day a couple of weeks ago. I started getting bounce backs from spam that had a forged From header that used an address in one of my domains. Once upon a time I had gotten used to receiving a few of these every so often but it had been a long time since I had seen more than one or two at a time – I assumed that this was a combination of my publishing of SPF records and ISPs getting more intelligent about when they used bounces. In the space of five minutes, twenty more landed in my inbox.
Clearly, they needed investigating. I opened one up and looked at the headers and all became clear. The source of the email had also been faked; to look like it came from an IP address in my SPF record. Specifically, from the external email service I use. I called up the service just to make sure, and to ensure they knew that it was not me in case anybody complained. They confirmed that the emails had not been sent through my account or indeed through their servers at all.
Given that I have many more domains now than when I used to see such bounce backs regularly it seems unlikely that spammers simply had not forged addresses in my domains during the quiet period. The conclusion therefore has to be that this tactic was sufficient to fool many of them into thinking it was legitimate mail and to generate a bounce message when the box no longer existed or was full. Clearly email provider’s handling of email needs to get cleverer yet.
Further evidence of this conclusion is provided by the fact that when I removed this service from my SPF record for the relevant domain (I only use this service for inbound mail and as a, never so far used, backup for outbound), the bounce backs trailed off again. It seems unlikely that the new SPF record propogated exactly when the spam run stopped. In all over an hour or so I received over three hundred bounce backs. Most of them landed in my Junk and Discard folders. The spam run itself presumably was an order of magnitude or two larger at least.
Comments
Leave a Reply
