Sender authentication part 19: How spammers evade SPF

How would a spammer get around SPF?  One way is the method used by Spammer-X in his book Inside the Spam Cartel.  Spammer-X is a retired spammer (so he says) and goes into a lot of the details in his book.  I'll give a review when I'm done this series on sender authentication in six months or so.

According to Spammer-X, SPF stops novice spammers but not the professionals.  The best way to beat SPF is to join it. 

  1. First, Joe Spammer rents a dedicated spam host in a spammer-friendly location, like China. 
  2. Next, he registers 100 domain names, and each domain is registered under a fake name and address. 
  3. Next, DNS entries for each of the hosts are set up, including a valid pointer record (PTR), an MX record and reverse DNS entries for each domain. 

In other words, they do everything that legitimate domains should do when they set up a domain.

Next, a self-published SPF record is appended to each domain's DNS entry, identifying the host as a valid, self-created SPF host that is responsible for any email coming from its domain.  An example for might be the following:

v=spf1 mx ptr -all

Reading this, we see that the permitted IPs that can send mail for this domain are any IP in the domain's mx record (ie, get the mx record of the domain in the envelope sender), if the sender ends in, or if the IP of the A-record of is sending mail. 

With all of these set up, a spammer can send mail from any of these 100 domains and they will all happily pass SPF checks because the IPs are authorized to send mail.  The basic theory behind this is that if you can't beat them, join them.

I took the above example for Spammer-X's book, but I added the -all to the end because he didn't include it in his example.  What if we did this:

v=spf1 mx ptr ?all

This is yet another evasion technique: even if the mail is not authenticated it falls back to a Neutral.  In other words, if the domain is spoofed, a spam filter should not treat is as such and should accept the mail anyways.  After all, the guys at OpenSPF say that mail that returns Neutral should be treated the same as SPF None.  As a spam fighter, it annoys me when domains do this (are you listening, Google?) because it effectively enables spoofers.

The flaw in this theory is that Spammer-X goes on to say that the majority of spam filters will treat the email with an SPF pass with a higher level of legitimacy and is therefore accountable for the email it sends.  While this may be true for other spam filters, it certainly isn't true for us.  My own internal statistics suggest that SPF-authenticated mail is still marked as spam a little over 50% of the time.  So, mail that is verified by SPF is by no means guaranteed to be valid.

Secondly, even if a domain with valid SPF checks were found to be sending spam, they could get blacklisted very quickly.  Spam fighters could also use the SPF information to build spam rules in short order.

Spammer-X does have a point, however; a flaw in SPF is that there is no external 3rd party verification of SPF records - anyone can sign up for it.  Verisign, for example, goes out and verifies websites to make sure that they are secure when they sign up for SSL.  If you aren't a good website, no "Verified by Verisign" for you.  However, there is no equivalent "Signed by SPF" authority that makes sure that whoever signs up for it truly deserves to get it. 

Comments (7)
  1. JohnGalt says:

    … of this makes me believe that MS’s approach with Outlook 2007 to have the Key generated that takes no effort really for a single message but lots of effort for a spammer and would require huge numbers of new computers is the way to go.

    Does anyone have any info on how to generate the unique values for the messages so that 3rd parties can add them to their Messages? We’ve been trying for a long time to find that info so that our messages get encoded like Outlook 2007 and thus get through spam filters better…

  2. Stevan Bajic says:

    @JohnGalt: About what key are you talking (I don’t use Outlook)? Do you have any link to a technical document regarding this key?

    @Terry: Well… SPF is just one small part of the filtering game. Evading SPF is in no way a blank ticket on my server to deliver mail directly to the recipients inbox. The spammer would need to break much much more things in order to pass unfiltered and unscored into a inbox.

    BTW: Reputations like helps to identify those 100 new created domains (from your example) and to act accordingly.

  3. Norman Diamond says:

    > a spammer-friendly location, like China.

    Yes like China, but equally like the US, Japan, Romania, Russia, Malaysia, etc.  Some of us remember the US national government overruling state governments which had tried as hard as they could (pitifully poor though it was) to put a stop to the practices of Sprint, UUnet, Genuity, Digex, etc.  Some of us remember Japan’s largest telecom (formerly monopoly) getting court orders against spammers with the very important exclusion of not getting court orders against itself.

  4. tzink says:

    To JohnGalt: It sounds like you are referring to an authentication and anti-spam technique that is used in Exchange and Outlook; I don’t have that much familiarity with Exchange’s spam filtering, but is that what you are referring to?

    To Steven Bajic: Reputations like Senderbase would help, but I think the spammer’s point is that he would set up these domains before they had a reputation and exploit their "newness".  

    For example, if a spammer could get past a filter with an authenticated domain, then its reputation would appear as good.  Filters that use reputation analysis with authentication to give messages a free pass would be allowing spam a free pass to the user’s inbox.

    To Norman: When I refer to spammer-friendly location in my post, I meant countries with bullet-proof hosting wherein even if the spammer’s ISP is complained to, they won’t shut down th esite.  China is definitely spammer-friendly, but at least in most parts of the US an ISP will shut down a spam site when they receive complaints.

  5. Norman Diamond says:

    > When I refer to spammer-friendly location in my

    > post, I meant countries with bullet-proof hosting

    > wherein even if the spammer’s ISP is complained to,

    > they won’t shut down th esite.

    Me too.  Sprint was the first big provider that was famous for exactly this kind of bullet-proof spam servicing.  Later UUnet did the same, Digex wasn’t big but they did the same, Genuity did the same, etc.  Earthlink used to solve their spam problems by bouncing complaints about their spams.  In modern times other ISPs do the same.  MSN and Yahoo used to provide bulletproof redirection services to spammers’ sites.

    Countries where laws assist bulletproof spam hosting include the US and Japan.  About China I don’t know for sure, but I read rumours that Chinanet’s bulletproof spam hosting is not supported by Chinese law.

  6. says:

    Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.

Comments are closed.

Skip to main content