SPAM.prevention.using.dns.v6

8/10/2019 SPAM.prevention.using.dns.v6

1/35

SPAM Prevention Using DNS Solutions

Implementing reverse domain name services(rDNS) and planning for SPF Classic

Presented by: Ed Horley

Date: May 2005


2/35

Overview

SPAM prevention is the primary reason that rDNS and SPF Classic willbecome de jure within approximately 1-2 years (IETF ratified)

Current methods for SPAM prevention are de facto solutionsfiltering,black/white lists, etc

Reverse DNS (rDNS) is a great quick check to determine if an MTA isbeing run and maintained correctly but it can be spoofed

Sender Policy Framework (SPF v1) or SPF Classic is being used byservice providers to confirm that the mail servers they are receivingmail from are authorized to do so on behalf of the sending domain,these records are published by the sending domain


3/35

Overview Continued

Future additional solutions for SPAM prevention are YahoosDomainKeys, Sender Verification and perhaps MicrosoftsPuzzle Solution (unlikely)

Sender ID has been rejected by the IETF as a proposedstandard (de jure) due to inclusion of patented technology byMicrosoft and Microsoft has modified it and resubmitted. It mayor may not make it through this time depending on the

dependencies the working committee see on the patented orprotected intellectual property


4/35


5/35

Solutions Used Today

Blacklists

SpamCop

MAPS

ORDB SPAMhaus

Spews

SURBL

Mail-abuse

DSBL DNSBL

DNSRBL

Client filters

Audiotrieve InBoxer

Cloudmark SpamNet

Lyris MailShield McAfee SpamKiller

Aladdin SpamCatcher

Sunbelt IHateSpam

SpamBayes (open source)

Spam Bully MailFrontier Matador

Cloudmark Spamnet


6/35

Solutions Used Today

Serverfilters Exchange IMF (comes bundled

with Exchange)

XWall

Vircom modusGate Sophos PureMessage

Proofpoint Protection

SurfControl

Symantec

Trend Micro

GFI MailEssentials Sybari Antigen (Microsoft Aquired

Feb 2005)

Network Associates / Mcafee

SpamAssassin (open source)

Declude JunkMail

HardwareAppliances Barracuda 300 BorderWare MXtreme CypherTrust IronMail IronPort C60 Mail Foundry Sendio ICE Box Tumbleweed

SubscriptionServices

Brightmail Commtouch Greenview Data Katharion Postini PUREmail


7/35


8/35

What to do now?

SMTP mail gateway filters (hardware or software)

Consider a commercial service (depends on the amount andtype of traffic you except to see for your environment)

Software e-mail client filters (Small business accounts) Blacklists / Whitelists (Enterprise and Service Providers)

rDNS (anyone running an MTA that sends traffic to the Internet)

SPF Classic (anyone running an MTA that sends traffic to theInternet)

DomainKeys (Service Providers)


9/35

What is rDNS?

rDNS is an acronym for reverse DNS

It is a method of name resolution in which an IP address isresolved into a domain name

It is the opposite of the typical resolution method of DNS whichresolves domain names into IP addresses

It utilizes the existing DNS infrastructure by using a specialreserved domain name: in-addr.arpa.

IP addresses are more specific left to right and domain names

are more specific right to left, therefore the rDNS IP listings arereversed

Example: 63.251.192.20 would have a reverse entry of20.192.251.63.in-addr.arpa.


10/35

Why you should do rDNS now

Easy to implement

Because spammers often use invalid IP addresses (bogons) tosend e-mails, rDNS will determine the authenticity of a domain

name compared to the IP address from which it is originating It is used as one of several de facto methods to determine the

likelihood of a server being a SPAM relay

Most Internet Service Providers are using this to determinelegitimate mail sources

Reduces probability of legitimate mail servers being added to aBlacklist


11/35

What is SPF Classic?

SPF Classic is used to identify mail servers that are explicitly permittedto sendmail for a particular domain (think outgoing)

Domain owners identify permitted sending mail servers in DNS usingTXT records

SMTP receivers verify the envelope sender address against the DNSinformation and can distinguish legitimate mail servers before anymessage data is transmitted

It is backward compatible with MTAs that are not patched with SPFfilters or libraries (well, actually the old MTA just ignore it if that is

considered backward compatible!) RememberMX records publish which IPs are to receive mail

(incoming) destined for your domain, SPF records says which IPs areallowed to send mail (outgoing) on behalf of your domain


12/35

Why you should do SPF now

Easy to implement (publish TXT records in DNS)

It is used by AOL, Symantec, EarthLink, Google and more asone of several de facto methods to determine trustworthiness ofthe mail sources

Most Internet Service Providers are currently or starting to usethis to determine legitimate mail sources

Will move your mail to priority queues for processing for manyproviders including AOL, you can also submit to be added to theWhitelist for AOL

Reduces probability of being added to a Blacklist Oct 1st,2004 Microsoft, MSN and Hotmail will all start using

Sender ID to prioritize incoming e-mail! (Sender ID is backwardcompatible with SPF Classic)


13/35

What to know about SPF Classic

Meng Wong created SPF Classic. It used to be called Sender Permitted Fromand was changed to Sender Policy Framework

SPF v1 (Classic) designates specific SMTP servers as being authorized to sendfor a FQDN

Uses the TXT fields in DNS to publish relevant information

Each sub-domain must be configured specifically SPF will become de jure within approximately 1-2 yearsmost popular filters

are flagging this already Most MTAs support SPF Classic or have plug-ins available Backward compatible with existing technology It breaks e-mail forwarding You'll have to switch from forwarding, where the

envelope sender is preserved, to remailing, where the envelope sender is

changed

your MTA will have to support this


14/35

What to know about Sender ID

SPF Classic + PRA = Sender ID (basically now the MTA (thinkExchange) checks SPF ANDthe MUA (think Outlook) check the PRAor Purported Responsible Address)

Meng Wong and Microsoft submitted a draft rfc merging both solutionsand called it Sender ID was just turned down as a standard by the

IETF due to Microsoft patent issuesit is back on the table again! Uses the TXT fields in DNS to publish relevant informationsame as

SPF but uses a new version number Each sub-domain must be configured specificallyjust like SPF Microsoft will be updating the MTA/MUAs to support PRA (or Sender

ID)think Outlook, Outlook Express and Exchange

Backward compatible with existing technology It breaks e-mail forwarding! You'll have to switch from forwarding,

where the envelope sender is preserved, to remailing, where theenvelope sender is changedjust like SPF

SPF v2


15/35

What to know about PRA *

A purported responsible ddress is determined as the first from thefollowing list of items:

the first Resent-Sender header in the message, unless (per therules of RFC2822) it is preceded by a Resent-From header and one

or more Received or Return-Path headers occur after said Resent-From header and before the Resent-Sender header (see 3.6.6. ofRFC2822 for further information on Resent headers),

the first mailbox in the first Resent-From header in the message,

the Sender header in the message, and

the first mailbox in the From header in the message The purported responsible dom in of a message is defined to be the

domain part of the messages purported responsible address.


16/35

What is coming in a few years

DomainKeys

A Yahoo! submitted draft rfc

http://www.ietf.org/internet-drafts/draft-delany-domainkeys-base-00.txt

Basically public/private keys for authenticating client mail and theservers along the path

Acts as a chain of custody from the source client machine to thedestination client machine

Will require a major re-write of all MTAs to work 5 to 10 years if at

all?

Backward compatible with existing technology

Google and Yahoo have already deployed!

Has promise to be a great standard if adoption is quick enough


17/35

What is coming continued *

Puzzle Solution

Microsoft proposal

Assumed for small businesses that cannot afford certificateservices

Sending mail server has to perform time consuming calculation foreach mail sent

Assumes spammers cannot afford the computational costs to sendout large bulk mailings or the cost of the bulk certificate services

Will require a major re-write of all MTAs to work 5 to 10 years if at

all?

Backward compatible with existing technology

Solution has serious shortcomings

Microsoft has little published on this solution


18/35

Future potential SPAM problems

Disposable domain names, certificates and registrars

Country Sanctioned Activity (Governments allowing for profit activity orturning a blind eye to problem spammers) in order to generate $s

Large Zombie Farms controlling clients with legit relay access (Thinklarge University or poorly managed corporate environments)

Spyware agents that provide relay capabilities similar to Zombieconfigurations

IPv6 and Mobile IP devices becoming more prevalent

Potential exploits that could turn large peer-to-peer networks into relays


19/35

How rDNS works

ISP A ISP BInternet

Internal SMTP servers

take client e-mail2

1

Worker sends e-mail

to colleague

3


forwarding e-mail to

public ISP SMTP servers

5

Public SMTP servers receive

e-mail and check rDNS

Public ISP SMTP servers

send e-mail to destination

4

Public DNS servers supply

reverse entries

6

7

Colleague receives e-mail from

Public SMTP servers

MX: mx1.ispA.net ->1.1.1.1 MX: mx1.ispB.net -> 2.2.2.2

PTR: 1.1.1.1 -> mx1.ispA.net

PTR: 2.2.2.2 -> mx1.ispB.net


20/35

How to request rDNS for sub /24

address blocks

You will have to contact your ISP to request rDNS delegationdo thisvia e-mail so you have a written trail of correspondence

You will likely have to talk to several departments to figure out who canactually do this for you, first contact your account manager

Typically, the DNS group handles the sub-delegation but not alwayssometimes it is the networking group

You will need to be patient but firminform them that you need it forAnti-SPAM reasons for your mail server, to be RFC 2505 compliant

RFC 2317 describes standard methods for rDNS sub /24 delegationformats, there is also the DeGroot hack from the book "DNS & Bind"both work fine


21/35

Setting up RFC 2317 rDNS Delegation

Example of 64.94.106.40/29 configuration in the providers servers:

$ORIGIN 106.94.64.in-addr.arpa.

; zone delegation of 64.94.106.40/29

;

40-47. IN NS ns1.j2global.com.

40-47. IN NS ns2.j2global.com.

;

40. IN CNAME 40.40-47.106.94.64.in-addr.arpa.









22/35

Setting up the rDNS Zone

Example of 64.94.106.40/29 configuration in your servers:

$ORIGIN 40-47.106.94.64.in-addr.arpa.; zone delegation of 64.94.106.40/29;

@ IN NS ns1.j2global.com.@ IN NS ns2.j2global.com.;@ IN TXT "j2 Global Communications, Inc.";40 IN PTR 64.94.106.40.efax.com.41 IN PTR 64.94.106.41.efax.com.42 IN PTR 64.94.106.42.efax.com.

43 IN PTR 64.94.106.43.efax.com.44 IN PTR 64.94.106.44.efax.com.45 IN PTR 64.94.106.45.efax.com.46 IN PTR 64.94.106.46.efax.com.47 IN PTR 64.94.106.47.efax.com.


23/35

Checking the rDNS Zone

Example of checking the 64.94.106.40/29 configuration:

; DiG 2.1 @206.13.31.12 40.106.94.64.in-addr.arpa. PTR; (1 server found);; res options: init recurs defnam dnsrch

;; got answer:;; ->>HEADER


24/35

How SPF Classic works

ISP A ISP BInternet


take client e-mail2

1

Worker sends e-mail

to colleague

5

Public SMTP servers receive

e-mail - checks SPF info

Public ISP SMTP servers

send e-mail to destination

4

Public DNS servers supply TXT,

MX and A records

6

7

Colleague receives e-mail from

Public SMTP servers

MX: mx1.ispA.net ->1.1.1.1

TXT: "v=spf1 a mx -all"

MX: mx1.ispB.net -> 2.2.2.2

TXT: "v=spf1 a mx -all"

TXT: v=spf1 a mx all

MX: mx1.ispA.net

A: mx1.ispA.net -> 1.1.1.1

3


forwarding e-mail to

public ISP SMTP servers


25/35

SPF Classic Syntax *

Some common SPF options in the TXT fielda = the A record entry for example.com sends e-mail on behalf of example.com

mx = the published MX record entries for example.com do not only receive e-mail on behalf ofexample.com but send e-mail also

ptr = approve any host that ends in example.com as part of its FQDNa: = a list of A record entries that are permitted to send e-mail on behalf of example.com

mx: = a list of mx record entries that are permitted to send e-mail on behalf of example.com

ip4: = a list of ip addresses that are permitted to send e-mail on behalf of example.com (CIDR)

include: = a different domain that may send e-mail on behalf of example.com (relay through yourservice provider)

-all: = (fail) everything in the SPF record are the ONLY hosts/networks permitted to send

(strictest policydont do unless you know all the ramifications)

~all: = (soft fail) everything in the SPF record are the ONLY hosts/networks permitted to send(middle ground)

?all: = not sure (technically neutral) if everything in the SPF record are the ONLY hosts/networkspermitted to send (start publishing with this one first as it is the most liberal policy)

Please see http://spf.pobox.com/mechanisms.html for a more detailed description and seehttp://spf.pobox.com/whitepaper.pdf for an excellent whitepaper


26/35

Setting up SPF Classic

Configuration of example.com SPF

$ORIGIN example.com.

; Leaving out the SOA info for space reasons

; NS records@ IN NS ns1.example.com.

@ IN NS ns2.example.com.

; MX records

@ IN MX 10 mx1.example.com.

@ IN MX 20 mx2.example.com.

; A recordsmx1 IN A 1.1.1.1

mx2 IN A 2.2.2.2

; TXTSPF records

@ IN TXT "v=spf1 a mx -all"

mx1 IN TXT "v=spf1 a -all"

mx2 IN TXT "v=spf1 a -all"


27/35

Register your SPF domain

Once you have configured SPF for your domain you shouldconfirm your configuration at:

www.dnsstuff.com

Then put the logo on your site!


28/35

Testing SPF Classic

Testing of example.com SPF

http://www.dnsstuff.com/pages/spf.htm

Dummy Sample Output from dnsstuff:

SPF lookup of sender [email protected]. from IP 1.1.1.1:

SPF string used: v=spf1 mx -all. Obtained the TXT record via DNS for example.com

Processing SPF string: v=spf1 mx -all. Checking against the TXT record

Testing 'mx' on IP=1.1.1.1, target domain example.com, CIDR 32, default=PASS. MATCHTesting 'all' on IP=1.1.1.1, target domain example.com, CIDR 32, default=FAIL.

Result: PASS


29/35

Impact on the Internet

These solutions will help reduce overall architecture problems ofAuthentication, Authorization, and Accounting with e-mail (backto AAA)

68B e-mails daily of which approx. 42.8B are spam or 69%spam!

1

Estimated $1,400 annual savings per employee from lost

productivity currently due to spam2

1The Radicati Group and Brightmail

2 - Vircom


30/35

Resource Links

rDNS:

http://www.ietf.org/rfc/rfc2317.txt http://www.ietf.org/rfc/rfc2505.txt

http://www.arin.net/registration/lame_delegations/index.html

http://kbase.menandmice.com/view.html?rec=31

http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_dewg.asp

http://dedicated.pacbell.net/custcare/dns_worksheet.html

DNS tools:

http://www.dnsstuff.com/

http://us.mirror.menandmice.com/cgi-bin/DoDig

http://network-tools.com/

http://www.squish.net/dnscheck/

http://www.dns.net/dnsrd/tools.html http://www.dnsreport.com/

http://www.samspade.org/t/

General references:

http://www.spamanatomy.com/

http://www.declude.com/Articles.asp?ID=97


31/35

Resource Links

SPF:

http://spf.pobox.com/howworks.html http://spf.pobox.com/rfcs.html

http://spf.pobox.com/wizard.html

http://www.ietf.org/internet-drafts/draft-mengwong-spf-01.txt

http://www.dnsstuff.com/pages/spf.htm

Microsofts PRA (E-mail Caller ID):

http://www.microsoft.com/downloads/details.aspx?FamilyID=9a9e8a28-3e85-4d07-9d0f-6daeabd3b71b&displaylang=en

Sender IDthe merged PRA and SPF:

http://www.microsoft.com/presspass/press/2004/may04/05-25SPFCallerIDPR.asp

http://www.microsoft.com/presspass/press/2004/jun04/06-24SIDSpecIETFPR.asp

http://www.microsoft.com/mscorp/twc/privacy/spam_senderid.mspx

Yahoo! DomainKeys:

http://antispam.yahoo.com/domainkeys

http://www.ietf.org/internet-drafts/draft-delany-domainkeys-base-00.txt

http://boycott-email-caller-id.org/


32/35

look at some Service Providers records

aol.com. 300 IN TXT "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24

ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23 ip4:64.12.138.0/24ptr:mx.aol.com ?allaol.com. 300 IN TXT "spf2.0/pra ip4:152.163.225.0/24 ip4:205.188.139.0/24ip4:205.188.144.0/24 ip4:205.188.156.0/23 ip4:205.188.159.0/24 ip4:64.12.136.0/23 ip4:64.12.138.0/24ptr:mx.aol.com ?all

cisco.com. 86400 IN TXT "v=spf1 ptr"

earthlink.net. 1800 IN TXT "v=spf1 ip4:207.217.120.0/23 ip4:207.69.200.0/24 ip4:209.86.89.0/24?all

efax.com. 86400 IN TXT "v=spf1 ptr ?all"

google.com. 300 IN TXT "v=spf1 ptr ?all

hotmail.com. 3600 IN TXT "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.cominclude:spf-c.hotmail.com include:spf-d.hotmail.com ~all

microsoft.com. 3600 IN TXT "v=spf1 mx redirect=_spf.microsoft.com"

msn.com. 900 IN TXT "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.cominclude:spf-c.hotmail.com include:spf-d.hotmail.com ~all

netzero.net. 600 IN TXT "v=spf1 ptr:untd.com ptr:netzero.net ptr:juno.com ?all

symantec.com. 18000 IN TXT "v=spf1 ip4:198.6.49.0/24 ip4:65.125.29.0/25 ip4:206.204.57.47?all


33/35

Questions and Answers


34/35

About Ed Horley

Ed Horley is a Sr. Network Engineer for j2 Global Communications, betterknown as eFax. Ed currently designs, supports and maintains j2's 58+international and domestic collocation sites along with j2's core data center IPinfrastructure. He is experienced in e-commerce web content delivery, largescale e-mail delivery, firewalls, IPSec VPN's, and specializes in routing andswitching and DNS issues.

Ed is a Cisco Certified Network Professional (CCNP), a Microsoft CertifiedProfessional (MCP) and a Microsoft Most Valuable Professional (MVP). Edgraduated from the University of the Pacific in 1992 with a BS in CivilEngineering.

When he is not playing on network gear you can find him out on the lacrossefield as an Umpire for Women's Lacrosse. He is currently married to hiswonderful wife Krys and has two children, Briana and Aisha. He lives and worksin Walnut Creek, CA.


35/35

Contact Info

Ed Horley [email protected]

Documents

SPAM.prevention.using.dns.v6