Spam: SPF and Grey Listing Analysis
Author: Jerry Benton

Staying One Step Ahead

I deal with spam from an administrator standpoint on a daily basis. I am constantly putting my thinking cap on and trying to come up with new ways to deal with this endless onslaught of useless data. In the past, I was concerned with how much processing power is required to deal with sorting through all of this junk. Today I am trying to come up with ways to just not deal with it at all. The idea is simple: how can I keep spam off my mail server? If there is never spam delivered in the first place, I won’t have to filter it or at least I will have to filter less. This approach has peak my interest in two developing technologies, which are grey listing and sender policy framework (SPF).

Sender Policy Framework

The SPF concept was first presented at the O’Reilly Open source Convention in 2003. (Sender Policy, 2006) The idea behind the concept is to simply check that the “from” address in an email being delivered is coming from a server that allowed to send out email for that domain. I found the idea to be an amazingly simple layer that can be added to a defense in depth structure for battling spam. Most spam servers are not what could be considered “real” mail servers. Often, spammers utilize zombie systems to help them deliver their payloads, and these zombie spam systems are obviously not registered mail servers. (Stopping Spam, 2006) But how is your mail server supposed to know that? One method is through reverse DNS lookups, which will tell your server that the system trying to talk to your mail server is a real mail server or not. However, that still isn’t enough since there are still a great number of open relays on the Internet due to administrative error. Examining SPF records does greatly enhance your mail server’s chances at stopping the spam before it ever gets delivered since it is checking to see if the specific system that is trying to deliver mail for the domain contained in the “from” field matches the SPF record from a DNS lookup.

SPF Drawbacks

Although it took me less than thirty minutes to research how to set this up and get it working, implementing this on a global scale will most likely be slow. Hotmail has already started using this technology, but I have already verified that email can still be sent to a Hotmail account from an unregistered server. They most likely ran into what would probably be the number one problem, which is that most mail servers out there are probably not registered and a large number of legitimate emails would never be delivered.

Another obvious problem that this approach will not handle well is email forwarding. There are numerous organizations that forward their email to another server for delivery, which would fail this test. And if the forwarding servers were registered in the organization’s DNS records, the problem of spam could be back again since these forwarders typically handle numerous domains. Therefore, someone could still get an email delivered by spoofing that organization’s domain.

Overall, SPF is a good idea, but it is going to take more than a community push to get it implemented. If numerous large email providers like Yahoo, Hotmail, Gmail, and AOL made SPF checks a requirement, then perhaps this would put pressure on a lot of organizations to implement SPF and in the process hopefully clean up their DNS records. This may sound a bit odd, but a very large number of people use these email services and that many people can make a lot of noise within the community.

Grey Listing

Grey listing was another technology that caught my attention, and this provides what I would call a “softer” approach to SPF. Grey listing works by temporarily deferring email from every server. When the server using grey listing makes the initial deferral, it records the IP address, the sender address, and the recipient address into a database. A legitimate mail server will try the connection again. When it does, the server using the grey listing technology will check the same three parameters against its database. If it finds a match, the delivery is allowed. This tends to work well against spam servers, since a typical spam server is not setup to handle deferrals and will not try to handle a failed delivery. (Greylisting, 2006)

Grey listing is easily customized. A simple example would be to keep the records for one day. This will require the server using grey listing technology to only have to make deferrals for a specific server once per day. After that, mail can be delivered freely since the grey listing server knows the other server is a “real” mail server. However, a downfall with grey listing is that the platforms that are currently supported are limited to mostly UNIX and Linux based MTA’s (Sendmail, Postfix, Qmail, etc.) and the development of each MTA package is done separately by individuals and not controlled by a single project team. This type of development is representative of something in its infancy and perhaps lacks the maturity to be implemented on a production network.

Conclusion

Battling spam has been somewhat of a technological cold war between IT professionals and spammers. Today the spammers come up with a new technique to get spam into our networks, and tomorrow the community of IT professionals develops a countermeasure for that technique. The next day it starts all over again. SPF and grey listing are just two possible countermeasures that can work today. But tomorrow the spammers may defeat both of them. The total elimination of spam may require a more drastic approach of redesigning how we deliver electronic mail since the current technology base is rather outdated.

Greylisting. (2006). Retrieved February 3, 2006, from Wikipedia Web site: http:/​/​en.wikipedia.org/​wiki/​Grey_list

Stopping Spam. (2006). Retrieved February 3, 2006, from How Stuff Works Web site: http:/​/​computer.howstuffworks.com/​spam4.htm

Sender Policy Framework. (2006). Retrieved February 3, 2006, from Wikipedia Web site: http:/​/​en.wikipedia.org/​wiki/​Sender_Policy_Framework

Back to Articles and Tutorials