Prevent spammers from spoofing your addressJune 28th, 2010 by brianl

Occasionally you may have a user report that they are getting bounced messages from someone they did not send emails to. 

They may be a victim of email address spoofing, a technique spammers use to hide their identity.  Basically, a spammer sends out junk email using your email address as the From: address, and when the receipients reject the message, the true owner of the address ends up with the rejection notice. 

Most domains send outbound mail through a relatively small number of servers. Domains should describe that set of servers in an SPF record in their DNS. Internet email receivers can then reject forged messages which don’t come from an envelope sender domain’s approved servers.If the receipient’s spam filtering solution is configured to check SPF before receiving messages, it will reject any spoofed messages not originating from the designated servers. 

SPF record syntax is a bit cryptic and I”m not exactly sure how it works, but there is a tool that helps you generate the correct formatting.  You should also be able to contact your email service provider to help with the correct mail server adddresses to enter into the SPF record. 

http://old.openspf.org/wizard.html 

For example, GFI MailProtection uses the following servers for outbound servers. 

92.51.176.0/24
92.51.177.0/24
174.36.154.0/24
207.154.50.0/24
208.43.37.0/24
208.70.88.0/24
208.70.89.0/24
208.70.90.0/24
208.70.91.0/24 

By running the wizard and selecting no to the first three options and entering in the above list of IP addresses in the “ip4:” field, the following record is generated (note: select YES to the ~all field): 

“v=spf1 ip4:92.51.176.0/24 ip4:92.51.177.0/24 ip4:174.36.154.0/24 ip4:207.154.50.0/24 ip4:208.43.37.0/24 ip4:208.70.88.0/24 ip4:208.70.89.0/24 ip4:208.70.90.0/24 ip4:208.70.91.0/24 ~all” 

Now log into your DNS host and create a TXT record using the above syntax.  

This isn’t a foolproof method since not all spam filtering solutions support SPF records, but it should reduce the number of some spoofing attempts.  Also, some DNS servers may not support SPF records (i.e. doesn’t allow you to create txt records), in which case you may want to consider switching your DNS host to one that does.

Tags: spf

This entry was posted on Monday, June 28th, 2010 at 9:20 pm and is filed under Email. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.