Reality IT: The Burden of Spoof

It seems that the spammers' messages had generated thousands of invalid address messages, recipient autoreplies and responses from junk-mail checkers requesting validation of the sender's identity. Many companies don't have a catch-all e-mail address to avoid these types of replies--but it's a necessity in our business, so we don't have a choice.

What Now?

Bucky and his crew checked the headers of many of the messages. Some of the bounces included the original message with the return message, but the spammers were using forged IP addresses, so it was difficult to track the messages' origin. The messages did include "unsubscribe" links, but they went to a throwaway e-mail address from one of the free public services. The penny stocks existed--we called some of the firms involved, but of course, they disavowed any knowledge of the scam.

In our view, there was more to the situation than just dealing with annoying e-mail messages--it was akin to the identify theft of our company name. Bucky called a few cybercrime contacts, but their response was not swift.

Our first action was to install a lengthy content filter for our catch-all e-mailbox. This filter automatically deletes e-mail with subject lines that contain certain keywords, such as auto, block, confirm, delivery, error, fail, nondelivery, problem, reject, return, undeliverable and unknown. We even added an international flavor to the filter, including terms like falshe, filtro and zustellungsfehler (don't ask me exactly what those mean, but you get the idea). We still get a ton of bounces and replies to spoofers, but the content filter pushes them aside. Ignorance is bliss.SPF 2005

SPF 2005 is not a superpowered suntan lotion. Sender Policy Framework is one of the new technologies in the battle against spam, and we're hoping it will help reduce our e-mail problems in the future. If the e-mail servers that bounced all those messages to ACME had used SPF, we would not have received their autogenerated replies.

Here's how it works. When an e-mail server using SPF receives a message, it does an SPF lookup via DNS (Domain Name System) and verifies that the sending e-mail server is valid for the domain of your address. To make SPF work, you must put an SPF record in your DNS that specifies the valid e-mail servers for your domain. Then you configure your antispam solutions to check for SPF records from sender domains, adding weights--pass, fail, soft fail or neutral--to the results of the lookup. For the DNS faint-of-heart, there's an SPF Record Wizard available.

Pleading With Peers

We've been using SPF on our e-mail servers, but for it to really make a difference, its use must be widespread. Our recommendation: Embrace SPF, and update your DNS records and SMTP antispam checking accordingly. Don't send autoreplies from the user level or server level to the Internet--why tell everyone a specific user doesn't exist on your server? Remind your employees not to try the "unsubscribe" link on junk e-mail--it usually makes things worse. I've heard of at least one company that is blocking all incoming messages from the free e-mail services--ACME isn't going that far yet, but the idea has some merit. Spam may seem like a minor annoyance to your users, but when it gets out of hand and affects infrastructure performance and employee productivity, it's serious business.Hunter Metatek is an enterprise IT director with 15 years' experience in network engineering and management. The events chronicled in this column are based in fact--only the names are fiction. Write to the author at [email protected].