How would a spammer get around SPF? One way is the method used by Spammer-X in his book Inside the Spam Cartel. Spammer-X is a retired spammer (so he says) and goes into a lot of the details in his book. I'll give a review when I'm done this series on sender authentication in six months or so.
According to Spammer-X, SPF stops novice spammers but not the professionals. The best way to beat SPF is to join it.
- First, Joe Spammer rents a dedicated spam host in a spammer-friendly location, like China.
- Next, he registers 100 domain names, and each domain is registered under a fake name and address.
- Next, DNS entries for each of the hosts are set up, including a valid pointer record (PTR), an MX record and reverse DNS entries for each domain.
In other words, they do everything that legitimate domains should do when they set up a domain.
Next, a self-published SPF record is appended to each domain's DNS entry, identifying the host as a valid, self-created SPF host that is responsible for any email coming from its domain. An example for superspammer.com might be the following:
v=spf1 mx ptr a:spammerplayground.superspammer.com -all
Reading this, we see that the permitted IPs that can send mail for this domain are any IP in the domain's mx record (ie, get the mx record of the domain in the envelope sender), if the sender ends in superspammer.com, or if the IP of the A-record of spammerplayground.superspammer.com is sending mail.
With all of these set up, a spammer can send mail from any of these 100 domains and they will all happily pass SPF checks because the IPs are authorized to send mail. The basic theory behind this is that if you can't beat them, join them.
I took the above example for Spammer-X's book, but I added the -all to the end because he didn't include it in his example. What if we did this:
v=spf1 mx ptr a:spammerplayground.superspammer.com ?all
This is yet another evasion technique: even if the mail is not authenticated it falls back to a Neutral. In other words, if the domain is spoofed, a spam filter should not treat is as such and should accept the mail anyways. After all, the guys at OpenSPF say that mail that returns Neutral should be treated the same as SPF None. As a spam fighter, it annoys me when domains do this (are you listening, Google?) because it effectively enables spoofers.
The flaw in this theory is that Spammer-X goes on to say that the majority of spam filters will treat the email with an SPF pass with a higher level of legitimacy and is therefore accountable for the email it sends. While this may be true for other spam filters, it certainly isn't true for us. My own internal statistics suggest that SPF-authenticated mail is still marked as spam a little over 50% of the time. So, mail that is verified by SPF is by no means guaranteed to be valid.
Secondly, even if a domain with valid SPF checks were found to be sending spam, they could get blacklisted very quickly. Spam fighters could also use the SPF information to build spam rules in short order.
Spammer-X does have a point, however; a flaw in SPF is that there is no external 3rd party verification of SPF records - anyone can sign up for it. Verisign, for example, goes out and verifies websites to make sure that they are secure when they sign up for SSL. If you aren't a good website, no "Verified by Verisign" for you. However, there is no equivalent "Signed by SPF" authority that makes sure that whoever signs up for it truly deserves to get it.