SPF and Fighting Spam

 

What is SPF?

SMTP, the protocol used to send and receive email, has a serious security flaw: it does not check and see if an email message is really coming from the email address in the From: field.

 

Spammers use this security flaw to hide the true source of their email. Viruses also spawn email with forged headers, disguising the contaminated computer as they attempt to infect others.

 

SPF (Sender Policy Framework) is a proposed authentication protocol designed to help fight spam. It works by checking to see whether email really comes from who it says it comes from in the email header.

 

How does SPF work?

SPF works by adding additional information in a domain's DNS record specifying which machines may legitimately send email for that domain.

 

The owner of a domain (e.g., example.com) already notes in its DNS records which computers should be used to receive mail for that domain. SPF works by adding additional information to the DNS record specifying which computers are authorized to send mail for that domain.

 

When mail servers receive email, they can check which computers are authorized to send mail for the domain of the email address in the From: field, and see if this message actually came from one of those authorized computers. If it did, the message is assumed to be legitimate and allowed through. If it did not, or if it is questionable, the receiving mail server can accept the message, mark it and accept it, or refuse to receive it.

 

How can SPF help ListManager?

ListManager receives mail for a number of email addresses, such as join addresses, leave addresses, and list posting addresses. These addresses, like any other email addresses, may receive spam or be the subject of virus attacks.

 

Beyond the additional load on ListManager to handle these messages, there are additional problems with the kinds of spam ListManager gets.

 

When spam is received for join addresses (e.g. join-listname@example.com), the From: address of the spam is added to the list. Generally, these are fake email addresses, but sometimes (in the case of a virus) they are legitimate addresses which then receive unsolicited email from the ListManager list.

 

Spam sent to leave addresses (e.g. leave-listname@example.com) can unsubscribe legitimate list members, and thus prevents interested subscribers from receiving the email they opted in to receive.

 

Potentially the most dangerous spam for a ListManager server is that sent to posting addresses (e.g., listname@example.com). If the email header is forged so it appears to come from someone approved to send mail through the list, and the list is not moderated, the spam or virus is sent to the entire list.

 

By using SPF authentication on incoming mail, ListManager can check if an incoming message is coming from where it says it coming from. If not, ListManager can reject these messages, or mark them so they may be identified later. By rejecting mail that fails SPF "early" in the mail transaction (before the entire message has been received), ListManager has more capacity to handle legitimate email.

 

SPF authentication may be configured on the server level at Utilities: Administration: Server: Server Settings: Security: Spam Blocking.

 

What limitations does SPF have?

In order for SPF authentication to work, domain holders must publish additional information in their DNS records. SPF adoption is still in its early stages, so not all domains have an SPF record. However, SPF has been adopted by AOL and Microsoft, so it is likely that many domain holders will begin to publish SPF records, and as they do so more and more ISPs will use SPF to validate email.

 

SPF does not prevent spam with legitimate domains (e.g., from "throwaway" domains used once and then abandoned). Spam sent by computers that use the right domain in the From: field will also not be blocked by SPF.

 

Can SPF help ListManager deliver email?

It can, if you publish SPF information for your ListManager server's domain. More information about SPF and the kind of DNS record you need to make can be found at http://spf.pobox.com/.