Using SPF to reduce spam

Posted April 14th, 2011 by bryanr

Recently, our users have been receiving a lot of backscatter email, which are bounce messages from email sent to invalid addresses that the user did not actually send in the first place.  I hope that made sense…  The messages that were sent out used our employee’s email address as the sender.  There is really nothing we can do to stop these spammers from imitating our email addresses and sending these messages.  What we can do is setup spam rules on our email server to identify the messages as spam, and other email admins would have to do the same for their email systems.

The first step is to create an SPF record for your DNS zone, there are some great tools online that make this very easy.  I like http://www.openspf.org.  The SPF setup tool that they provide make the it a quick process.  Once you have the record contents, add it to you DNS zone file as a text record.  I would recommend that you use “-all” in you record, which states email from your domain should only come from the servers specified in the SPF record.  This addition will trigger a hard fail when the SPF record is checked and the message is delivered by a server that is not listed in the record.  If you want to be more lenient, you can use “~all”, which states that servers not specified in you SPF record are not preferred and it will trigger a soft fail.  The problem with using a soft fail is that many spam servers will not add spam points for soft fail unless a custom spam score is added.

We use Zimbra with Spamassassin, and installing SPF query tools was simple.  You will need to find instructions for your specific system.  With Spamassassin, just add your SPF spam scores and other custom scores to /opt/zimbra/conf/spamassassin/local.cf.

Here is a sample:

score SPF_SOFTFAIL 2.000
score SPF_FAIL 5.000
score SPF_HELO_FAIL 5.000

You will want to change the score based on your required spam score.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>