Ok: this is a targetted attack

Jay_Ashworth · February 11, 2013, 4:19pm

Clearly, someone has decided to shoot at me specifically, since this
latest spam supposedly from me:

Sean_Lazar · February 11, 2013, 9:39pm

Jay, you need to have SPF records for your domain. This will prevent the
spoofing you are seeing.

http://en.wikipedia.org/wiki/Sender_Policy_Framework

$ dig @8.8.8.8 baylink.com TXT

; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 baylink.com TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11443
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;baylink.com. IN TXT

;; AUTHORITY SECTION:
baylink.com. 194 IN SOA localhost. jra.baylink.com.
2011032901 28800 14400 86400 600

;; Query time: 39 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 11 13:36:33 2013
;; MSG SIZE rcvd: 78

Sean

Jay_Ashworth · February 11, 2013, 9:50pm

I should in fact.

But am I incorrect in thinking that since the envelope address *was not
actually forged*, they wouldn't help here unless *Mailman* also processed
them?

(And alas, that article is itself complicated enough to tell me that I
need to do actual research on the issue, so it won't happen tonight.

Cheers,
-- jra

Rob_McEwen · February 11, 2013, 9:51pm

yep, while the purpose and effectiveness of SPF records are generally
VERY overrated... yet for a situation like this, an SPF record is VERY
valuable and it would be advised that you set this to a rather strict
record for a period of time. (just try to account for all the various
3rd party sending scenarios your users do, like sending from a
blackberry server, or e-mail forwarding, for any other situation where a
legit 3rd party IP would be legitimately sending mail with a "from"
address using your domain, etc.)

Then again, if this is "spear phishing" or very personalized harassment,
then the value of an SPF record would be somewhat uncharted territory
(at least for me)... it would be interesting to see if that improves
things. But, at the least, it would likely help some.

PC11 · February 11, 2013, 10:41pm

An SPF record will probably only add value if the receiving mail server for
the nanog list uses them to restrict allowed senders for the domain.

Rich_Kulawiec · February 11, 2013, 11:19pm

(a) SPF is just about entirely worthless and (b) if someone really has
it in for Jay and has at least minimal competence, it won't stop them --
minor variations in their tactics would suffice.

---rsk