March 29, 2007

SPF Records for AntiSpam Efforts

Filed under: DNS,Mail,Technology — Cory @ 1:11 am

A few days ago my server got joe-jobbed on a domain that I registered and never used. When it started happening I just changed the MX record for the domain to point to localhost.standblue.net, which is an A record pointing to 127.0.0.1. After doing this I noticed the bounces slowed down as the MTA’s tried to connect to themselves, rather than to my server. At that time I also added SPF records to all the domains that I host on my server.

So tonight I figured it was time to configure my mail server to look at SPF records. While searching around for a SPF implementation that seemed reasonable (ie, not written in Perl), I found python-postfix-policyd-spf, which is written in Python (although the code is not Pythonic at all).

After installing the PyDNS and PySPF module dependencies, I installed python-postfix-policyd-spf by running ‘python setup.py install‘ and then things were ready to be configured.

The next step was to configure Postfix, which was actually very easy. I added the following line to my /etc/postfix/master.cf file:

spfpolicy unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/bin/python /usr/bin/policyd-spf

And the following to /etc/postfix/main.cf:

smtpd_recipient_restrictions =  permit_mynetworks,
                                permit_sasl_authenticated,
                                check_client_access hash:/etc/postfix/pop-before-smtp-relays,
                                check_recipient_maps,
                                reject_unauth_destination,
                                check_recipient_access hash:/etc/postfix/badmailto,
                                check_policy_service inet:127.0.0.1:60000,
                                check_policy_service unix:private/spfpolicy,
                                permit
spfpolicy_time_limit = 3600

Be sure to add the check_policy_service unix:private/spfpolicy line after the reject_unauth_destination line, otherwise you’ll be an open-relay.

Run ‘postfix reload‘ to get Postfix to acknowledge the changes, and that’s it.

After setting this up and watching the logs for a while tonight, I noticed a few things.

First, there are a lot more domains using SPF than I thought. I know it’s been out for a few years now, but apparently it has really taken off. The only shame is that most of the domains that have SPF records seem to still be using the ~all code, which basically makes it pointless.

The second thing I noticed tonight isn’t quite as shocking: spammers are really careless and dumb. The first two messages that were rejected via SPF were because the spammer actually set up SPF records for their spamming domains, but they screwed it up. The log messages for those two are below:

Mar 29 01:07:05 silver policyd-spf[9260]: SPF fail - not authorized:QUEUEID=; 
       identity=mailfrom; client-ip=65.254.160.36; helo=mail.meckcom.net;
       envelope-from=colonproblems@jermaynepaganochristianism.com; 
       receiver=victim@example.com; 
Mar 29 01:19:00 silver policyd-spf[9508]: SPF fail - not authorized:QUEUEID=; 
       identity=mailfrom; client-ip=65.254.160.36; helo=mail.meckcom.net; 
       envelope-from=mortgagenewsfromlowermybills@trythetips.com; 
       receiver=victim@example.com; 

Investigating the first one, I found this:

jermaynepaganochristianism.com. 600 IN  TXT     "v=spf1 a mx ip4:38.98.2.0/24 -all"

So the spammer who bought jermaynepaganochristianism.com (which was registered earlier this month) decided to set up a record specifying which hosts could send mail for that domain, and then send the spam through a different server. Brilliant!

Here is another interesting one:

Mar 29 00:58:21 silver policyd-spf[9071]: 
       SPF Permanent Error: Invalid IP4 address: ip4:72.11.154.128/25-all:
       QUEUEID=; identity=mailfrom; client-ip=72.11.154.232; helo=mail.anbermedia.com; 
       envelope-from=smtp@anbermedia.com; receiver=victim@example.com; 

In this case the spammer who bought anbermedia.com (which was registered today) set up a SPF record, but screwed it up by not placing a space between /25 and -all, thereby making it an invalid record and causing mail to be rejected. Sweet!

In the 2 hours I have had SPF in place, its blocked 10 messages or so. That isn’t a huge amount, but my server doesn’t move a tremendous amount of mail, especially around midnight. It will be interesting to see how well this works when the server is busy.

Next I plan to try out DomainKeys and see if that helps any.

• • •

March 28, 2007

Greg Hits Hollywood (literally)

Filed under: General — Cory @ 12:19 am

This had me laughing non-stop…

• • •

March 7, 2007

Frontier Airlines’ Awful Website

Filed under: Technology — Cory @ 12:45 am

Recently I have been paying a lot more attention to web design. I thought we had basically moved past the days when companies would lock out potential customers by requiring a specific browser, but I guess not.

Frontier Website Sucks

(Click on it to see a larger image)

People have been telling me good things about Frontier Airlines, so I thought I would check out their prices to Vegas for DefCon this summer. When I pulled up the site I immediately got the above page that told me I was not good enough to use their little e-commerce site. Too bad.

When are these companies going to realize that it is really not that difficult to make a site that works for everyone? Maybe 6 years ago you could justify it because all the browsers sucked in different ways, but today the browsers are pretty good. And with 1 of every 5 web users browsing with something other than IE they are essentially slamming the door in the faces of more than 20% of their customers. With so many cross-platform development toolkits for JavaScript and CSS, there is no excuse for a company the size of Frontier to have such a finicky site.

• • •

March 5, 2007

New Domain Aliases

Filed under: DNS,Technology — Cory @ 11:04 pm

I have been blogging at this address for almost two years now, and people still seem to have a hard time remembering the website address (although, this wouldn’t be a problem if everyone got with the times and read the web via RSS).

So, to make it easier for people to find this site I have registered a few other domains and pointed them here. Now you can get to this blog from antsonthemelon.com, corywright.net, or corywright.org.

I actually bought corywright.com back around 1999 or 2000, but unfortunately I let it lapse and now some wannabe fake Cory Wright owns it. Lamo.

• • •

March 2, 2007

Oldest Domains on the Internet

Filed under: DNS — Cory @ 1:12 am

As my geek friends know, I love DNS, so I found this list of the 100 oldest domains on the Internet pretty fascinating.

All the big names are on there, except Microsoft. It’s hard to believe that some domains have been registered for 22 years. No wonder all the good ones are taken.

• • •

March 1, 2007

Speed Up Apple Mail.app

Filed under: Mail — Cory @ 9:00 pm

I came across this tip today that shows a neat trick to speed up Mail.app.

I’ve been using Mail.app for about 3 years now and after running the sqlite command to vacuum the index I noticed a pretty significant speedup.

Update: I showed this to Will and he tried vacuuming all the other tables as well. I tried it too and it made things even faster! Here are the steps:

cd ~/Library/Mail
sqlite3 Envelope\ Index
sqlite> vacuum;
sqlite> .quit
• • •
Powered by: WordPress • Template by: Priss