Yesterday’s Thoughts

May 31, 2005

Blocking Spam from My Domain

Courtesy of Merlin Mann’s tags, I found out about SPF, Sender Policy Framework. Merlin had earlier apologized to the readers of his blog that he was not the sender of spam coming from the domain.

Apparently one of his readers pointed out to him that he could configure SPF for his domains, which would eliminated spam containing forged return paths. I don’t have any first-hand knowledge how prevalent this form of spam is in the whole universe of spam. I do however get a fair number of bounces from ISPs, and individuals, complaining about mail that I have supposedly sent them, including spam that I receive claiming to be from me, so this sounded like a good idea for me for two reasons.

One, it relieves one more thing to look after. When a bound, a spate of bounces, or spam to myself, comes in, I need to spend time tracking it down. I am always concerned that the hoard of people attempting to probe my system has finally found a crack, so I have to check over my system for anything out of the ordinary. This doesn’t take so much time, but it is another intrusion on my time and a diversion from real work.

Second, I worry about someone actually associating this spam with my site, or my work. This is probably an enormous long shot, but why worry about this if I don’t have to?
Merlin was apologizing to his readers; I’d like not to be in that position.

The way that SPF works is that a mail transfer agent that receives an e-mail can validate that Return-Path on a given piece of mail points to a server that is authorized to send mail for that domain by consulting the SPF record. If it does, the mail is ok. If it does not, the mail is suspicious. Suspicious, not necessarily forged, because 1) this system is not wide-spread yet, and 2) there are some cases, forwarded mail, mail sent on behalf of others, where the system is not completely airtight.

There is a convenient wizard that you can create your own DNS entry for implementing SPF. Because I have control over my own DNS, it was pretty simple to add the txt record for the spf entry. I am serving this domain from my home on supposedly static DSL. Because of the supposedly qualifier in the previous sentence, I use DynDNS. They had an FAQ on this.

I did a Google search on the site to find the FQA. I don’t know if the page is public ally available, or useful, to others, but what I did was pretty straight-forward:

Create a txt DNS record for your domain, TTL 60, containing as data the text I created on the wizard. I added the fqdn of my mail server to the list of servers that were allowed to send mail from my domain.

The last step was testing this out. The wizard page links to a couple of sites that allow you to test your new configuration. These test pages aren’t so useful. They weren’t useful to me at least, since my changes passed the tests. If you fail the tests then you would probably consider them more useful.

If I were routinely using this domain to send mail, I would need to do further testing. My ISP blocks port 25 except to its own servers as an anti spam measure. It means that no one can take over my server and send spam. I can only send mail to my ISP, not to other domains. I don’t count on sending mail from my local domain. If I did, I would send mail to a broad sampling of outside hosts, gmail, yahoo, and hotmail for instance, to verify that my mail got through.

On the way to this, I discovered that I could use SPF to filter my own mail. I may check this out.

Sorry, comments for this entry are closed at this time.