Blocking spam that seems to come from yourself...

[elbarto]

"-" and "~" are different qualifiers: http://www.openspf.org/SPF_Record_Syntax

Basically, in that case, "-" will make that any email that comes from a server that was not matched by the previous mechanisms ("a", "mx" and "ip4") will be rejected... The "~", instead, will accept the mail but mark it as possible spam.

At least that was what I understood from the link I pasted.

 

[jnet]

I think we can put the spf for all new domains and clients instead put a tutorial some where for those who might want to get rid of it..

 

[jnet]

thanks

so which one should I choose? I just followed the direction from the link
in previous page

 

[floyd]

All the paypal emails I receive usually come from [email protected]

But I think when paypal sends email to your customers in your behalf it uses your email address.

 

[elbarto]

Well, that's your choice... think that "-" will probably reduce (in some way) the resources wasted on spam (bandwidth and disk space), but with "~" the end-user will be able to decide whether the message is spam or not...

I still haven't decided what I will do, but it might be a good idea to leave most of the domains with "~" and only change to "-" those which have important spam problems. Just thinking out loud.

In my case, I most certainly want to change the record of this client who is having troubles to "-" and set up my mailserver to reject emails from sources that do not match the SPF record.

 

[elbarto]

But I think when paypal sends email to your customers in your behalf it uses your email address.

Oh, ok... but, again, in that case, what happens if the user uses an email account from one of the major webmail providers like Gmail, Yahoo or Hotmail? Because an email will be sent in the user's behalf using his email address as the From, and the server will not match the SPF record. So, probably, the recipient would reject it or mark it as spam.

For example, hotmail has this:

spf-a.hotmail.com. 1657 IN TXT "v=spf1 ip4:209.240.192.0/19 ip4:65.52.0.0/14 ip4:131.107.0.0/16 ip4:157.54.0.0/15 ip4:157.56.0.0/14 ip4:157.60.0.0/16 ip4:167.220.0.0/16 ip4:204.79.135.0/24 ip4:204.79.188.0/24 ip4:204.79.252.0/24 ip4:207.46.0.0/16 ip4:199.2.137.0/24 ~all"

And Gmail has:

_spf.google.com. 300 IN TXT "v=spf1 ip4:216.239.32.0/19 ip4:64.233.160.0/19 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:209.85.128.0/17 ip4:66.102.0.0/20 ip4:74.125.0.0/16 ip4:64.18.0.0/20 ip4:207.126.144.0/20 ?all"

Gmail will probably have no problem, but Hotmail would mark it as spam, right?

 

[nobaloney]

This would affect clients who may want to send emails with their addresses from other servers. This does not worry me, because they are supposed to use my mailserver and no other. I can assume that in order to reduce spam on their accounts.

When you assume you make an ass out of u and me.

You really can't assume that. For example, if any of your users are using AOL (and some other ISPs) all port 25 email is redirected to their own servers. If your users travel they may find themselves and their laptops in places where all outgoing port 25 traffic is blocked. Many ISPs block all outgoing port 25 traffic.

But would there be any other drawbacks? I mean, it's an important decision that will affect an important share of my clients, and I want to be sure what I'm doing.

Personally, I think what I mentioned above is important enough.

Jeff

 

[nobaloney]

If you want to add the SPF record on your DNS zones I think the right way to do it is editing the file /usr/local/directadmin/data/templates/dns_txt.conf

Before you edit tht template move it to the custom directory so it won't be overwritten by an update.

Jeff

 

[elbarto]

When you assume[/u] you make an ass out of u and me.

You really can't assume that. For example, if any of your users are using AOL (and some other ISPs) all port 25 email is redirected to their own servers. If your users travel they may find themselves and their laptops in places where all outgoing port 25 traffic is blocked. Many ISPs block all outgoing port 25 traffic.

Personally, I think what I mentioned above is important enough.

Jeff

@Jeff... I understand what you say, but I think that I can assume certain limitations of my service as long as it is to provide a better service, regarding security, spam, etc.

I work in Latinoamerica, 99% (I'd say 100%, but you never know) of my clients do not use AOL. Since I don't have any control over my clients' networks, I have to assume that they have the required resources and permissions to access the services I provide, which are quite standard and use standard ports. If for some reason you have port 25 blocked, you're welcome to use our webmail. And if you still have problems, you can talk to support and we'll try to figure something out.

Anyway, we have two possible problems:
- Users will not be able to send emails using their addresses from other mailservers.
- Users will be forced to connect to my server to send their emails, which might cause troubles if (for some reason) they cannot connect.

Both problems are regarding my DNS configuration. I could still set up my SPF records so that external emails are "marked" rather than "rejected".

Now, my question was regarding the mailserver configuration. How do I set up exim to check the SPF record of the source's domain?

 

[jlounds]

@jlounds: Mmm and how does that work when you have a gmail address?
All the paypal emails I receive usually come from [email protected]

I am not sure what you mean about the gmail address. My PayPal account is through my business e-mail account, which is hosted on my DirectAdmin server.

I was just trying to point out that PayPal is one example of how many web sites will stick your address in the "from" header when sending messages after filling in a form (contact us, registering, purchasing something, etc). In which case, strict SPF can cause headaches.

Here is a (modified to hide my actual e-mail address) clip from the mail header I received from PayPal...

Subject: Receipt for your subscription payment
X-MaxCode-Template: email-receipt-subscribe-payment
To: <jlounds@*********.com>
From: "[email protected]" <jlounds@*********.com>
Sender: [email protected]

 

[elbarto]

Ok, don't worry, we're getting a little off-topic. Just to clear it out, it seems that Paypal makes an exception for accounts with gmail addresses (and probably with others). I have a Paypal account with my gmail address and when I make a payment I receive an email with these headers:

Return-Path: <[email protected]>
Received: from outbound1.den.paypal.com (outbound1.den.paypal.com [216.113.188.96])
        by mx.google.com with ESMTP id 30si1214039wfg.25.2008.12.04.18.22.54;
        Thu, 04 Dec 2008 18:22:55 -0800 (PST)
Received-SPF: pass (google.com: domain of [email protected] designates 216.113.188.96 as permitted sender) client-ip=216.113.188.96;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 216.113.188.96 as permitted sender) [email protected]; dkim=pass [email protected]
[...]
Subject: Receipt for Your Payment to Some Company
X-MaxCode-Template: email-receipt-xclick-payment
To: My Name <[email protected]>
From: "[email protected]" <[email protected]>

 

[nobaloney]

Now, my question was regarding the mailserver configuration. How do I set up exim to check the SPF record of the source's domain?

Did you google? I tried googling these three selections:

exim spf
exim and spf
exim support spf

All of them show a link in the top three which leads to your answer, here.

Jeff