SPAM prevention using DNS

1
SPAM prevention using DNS

• Implementing reverse domain name services (rDNS)
  and planning for Sender ID
• Presented by Edward Horley
• For TVNUG July 2004

2
Overview

• SPAM prevention is the primary reason that rDNS
  and Sender ID will become de jure within
  approximately 1-2 years
• Current methods for SPAM prevention are de facto
  solutions
• Possible future solutions for SPAM prevention are
  DomainKeys and Puzzle Solution

3
Solutions Overview

• Current de facto solutions
• Blacklists (IP and DNS based)
• rDNS (it is currently optional)
• Anti-spam filtering (Bayesian and others)
• Anti-spam services (Brightmail, etc)
• Hardware appliance filters / services
• Custom built scripts and applications

4
Solutions Used Today

• Blacklists
• SpamCop
• MAPS
• ORDB
• SPAMhaus
• Spews
• SURBL
• Mail-abuse
• DSBL
• DNSBL
• DNSRBL

• Client filters
• Audiotrieve InBoxer
• Cloudmark SpamNet
• Lyris MailShield
• McAfee SpamKiller
• Aladdin SpamCatcher
• Sunbelf IHateSpam
• SpamBayes (open source)
• Spam Bully
• MailFrontier Matador
• Cloudmark Spamnet

5
Solutions Used Today

• Server filters
• Exchange IMF
• XWall
• Vircom modusGate
• Sophos PureMessage
• Proofpoint Protection
• SurfControl
• Symantec
• Trend Micro
• GFI MailEssentials
• Sybari Antigen
• Network Associates
• SpamAssassin (open source)
• Declude JunkMail

• Hardware Appliances
• BorderWare MXtreme
• IronPort C60
• Barracuda 300
• Tumbleweed
• Subscription Services
• Brightmail
• Postini
• Greenview Data
• Katharion

6
The Proposed Solutions

• Short term solutions
• Internet Engineering Task Force (IETF) draft
  rfcs
• Sender Policy Framework (SPF Classic)
• Sender ID (new version of SPF)
• DomainKeys
• Long term solutions
• Internet Research Task Force (IRTF)
• New version of SMTP?

7
What to do now?

• SMTP mail gateway filters
• Consider a commercial service
• Software e-mail client filters
• Blacklists
• rDNS
• SPF Classic -gt Sender ID

8
Why you should do rDNS now

• Easy to implement
• It is used as one of several de facto methods to
  determine the likelihood of a server being a SPAM
  relay
• Most Internet Service Providers are using this to
  determine legitimate mail servers
• Reduces probability of being added to a Blacklist

9
What to plan for soon

• SPF Classic Email caller ID Sender ID
• SPF Classic used to be called Sender Permitted
  From and was changed to Sender Policy
  Framework
• Now a Meng Wong and Microsoft submitted draft rfc
  it merged both solutions and is now called
  Sender ID
• http//www.ietf.org/internet-drafts/draft-mengwong
  -spf-01.txt
• Designates specific SMTP servers as being
  authorized to send for a FQDN
• Each sub-domain must be configured specifically
• Will become de jure within approximately 1-2
  years most popular filters are flagging this
  already
• Most MTAs support SPF Classic or have plug-ins
  available
• Backward compatible with existing technology

10
What is coming in a few years

• DomainKeys
• A Yahoo! submitted draft rfc
• http//www.ietf.org/internet-drafts/draft-delany-d
  omainkeys-base-00.txt
• Basically public/private keys for authenticating
  client mail and the servers along the path
• Acts as a chain of custody from the source client
  machine to the destination client machine
• Will require a major re-write of all MTAs to
  work 5 to 10 years if at all
• Backward compatible with existing technology

11
What is coming continued

• Puzzle Solution
• Microsoft proposal
• Sending mail server has to perform time consuming
  calculation for each mail sent
• Assumes spammers cannot afford the computational
  costs to send out large bulk mailings
• Will require a major re-write of all MTAs to
  work 5 to 10 years if at all
• Backward compatible with existing technology

12
Future potential SPAM problems

• Disposable Domain Names
• Country Sanctioned Activity (Government for
  profit activity)
• Large Zombie Farms controlling clients with legit
  relay access (University or corporate
  environments)

13
How to request rDNS for sub /24 address blocks

• You will have to contact your ISP to request rDNS
  delegation do this via e-mail so you have a
  written trail of correspondence
• You will likely have to talk to several
  departments to figure out who can actually do
  this for you
• Typically, the DNS group handles the
  sub-delegation but not always
• You will need to be patient but firm inform
  them that you need it for Anti-SPAM reasons for
  your mail server

14
Setting up rDNS Delegation

• Example of 64.94.106.40/29 configuration by the
  provider
• ORIGIN 106.94.64.in-addr.arpa.
• zone delegation of 64.94.106.40/29
• 40-47. IN NS ns1.j2global.com
• 40-47. IN NS ns2.j2global.com
• 40. IN CNAME 40.40-47.106.94.64.in-addr.arpa.
• 41. IN CNAME 41.40-47.106.94.64.in-addr.arpa.
• 42. IN CNAME 42.40-47.106.94.64.in-addr.arpa.
• 43. IN CNAME 43.40-47.106.94.64.in-addr.arpa.
• 44. IN CNAME 44.40-47.106.94.64.in-addr.arpa.
• 45. IN CNAME 45.40-47.106.94.64.in-addr.arpa.
• 46. IN CNAME 46.40-47.106.94.64.in-addr.arpa.
• 47. IN CNAME 47.40-47.106.94.64.in-addr.arpa.

15
Setting up the rDNS Zone

• Example of 64.94.106.40/29 configuration on
  hosting rDNS server
• ORIGIN 40-47.106.94.64.in-addr.arpa.
• zone delegation of 64.94.106.40/29
• _at_ IN NS ns1.j2global.com.
• _at_ IN NS ns2.j2global.com.
• _at_ IN TXT "j2 Global Communications, Inc."
• 40 IN PTR 64.94.106.40.efax.com.
• 41 IN PTR 64.94.106.41.efax.com.
• 42 IN PTR 64.94.106.42.efax.com.
• 43 IN PTR 64.94.106.43.efax.com.
• 44 IN PTR 64.94.106.44.efax.com.
• 45 IN PTR 64.94.106.45.efax.com.
• 46 IN PTR 64.94.106.46.efax.com.
• 47 IN PTR 64.94.106.47.efax.com.

16
Checking the rDNS Zone

• Example of checking the 64.94.106.40/29
  configuration to make sure it works
• ltltgtgt DiG 2.1 ltltgtgt _at_206.13.31.12
  40.106.94.64.in-addr.arpa. PTR
• (1 server found)
• res options init recurs defnam dnsrch
• got answer
• -gtgtHEADERltlt- opcode QUERY, status NOERROR,
  id 10
• flags qr rd ra Ques 1, Ans 2, Auth 2,
  Addit 0
• QUESTIONS
• 40.106.94.64.in-addr.arpa, type PTR, class
  IN
• ANSWERS
• 40.106.94.64.in-addr.arpa. 43200 CNAME 40.40-47.10
  6.94.64.in-addr.arpa.
• 40.40-47.106.94.64.in-addr.arpa. 86400 PTR 64.94.1
  06.40.efax.com.
• AUTHORITY RECORDS
• 40-47.106.94.64.in-addr.arpa. 86400 NS ns2.j2globa
  l.com.
• 40-47.106.94.64.in-addr.arpa. 86400 NS ns1.j2globa
  l.com.
• Total query time 48 msec
• FROM us.mirror.menandmice.com to SERVER
  206.13.31.12
• WHEN Tue Jul 20 012009 2004

17
Setting up SPF Classic

• Configuration of example.com SPF
• ORIGIN example.com.
• Leaving out the SOA info for space reasons
• NS records
• _at_ IN NS ns1.example.com.
• _at_ IN NS ns2.example.com.
• MX records
• _at_ IN MX 10 mx1.example.com.
• _at_ IN MX 20 mx2.example.com.
• A records
• mx1 IN A 1.1.1.1
• mx2 IN A 2.2.2.2
• TXT SPF records
• _at_ IN TXT "vspf1 a mx -all"
• mx1 IN TXT "vspf1 a -all"
• mx2 IN TXT "vspf1 a -all"

18
Register your SPF domain

• Once you have configured SPF for your domain you
  should register it at
• http//spftools.infinitepenguins.net/register.php
• Then put the logo on your site!

19
Testing SPF Classic

• Testing of example.com SPF
• http//www.dnsstuff.com/pages/spf.htm
• Dummy Sample Output from dnsstuff
• SPF lookup of sender droid_at_example.com. from IP
  1.1.1.1
• SPF string used vspf1 mx -all.
• Processing SPF string vspf1 mx -all.
• Testing 'mx' on IP1.1.1.1, target domain
  example.com, CIDR 32, defaultPASS. MATCH!
• Testing 'all' on IP1.1.1.1, target domain
  example.com, CIDR 32, defaultFAIL.
• Result PASS

20
Impact on the Internet

• These solutions will help reduce overall
  architecture problems of Authentication,
  Authorization, and Accounting with e-mail (back
  to AAA)
• 68B e-mails daily of which approx. 42.8B are spam
  or 69 spam!1
• Estimated 1,400 annual savings per employee from
  lost productivity currently due to spam2
• 1 The Radicati Group and Brightmail
• 2 - Vircom

21
Questions and Answers
22
Resource Links

• rDNS
• http//www.ietf.org/rfc/rfc2317.txt
• http//www.ietf.org/rfc/rfc2505.txt
• http//www.arin.net/registration/lame_delegations/
  index.html
• http//kbase.menandmice.com/view.html?rec31
• http//www.microsoft.com/windows2000/techinfo/resk
  it/en-us/default.asp?url/windows2000/techinfo/res
  kit/en-us/cnet/cncf_imp_dewg.asp
• http//dedicated.sbcis.net/customer_support/dns_wo
  rksheet.html
• http//dedicated.sbcis.net/customer_support/revers
  e_delegation.html
• DNS tools
• http//www.dnsstuff.com/
• http//us.mirror.menandmice.com/cgi-bin/DoDig
• http//network-tools.com/
• http//www.squish.net/dnscheck/
• http//www.dns.net/dnsrd/tools.html
• http//www.dnsreport.com/
• http//www.samspade.org/t/
• General references

23
Resource Links

• Meng Wongs SPF
• http//spf.pobox.com/howworks.html
• http//spf.pobox.com/rfcs.html
• http//www.ietf.org/internet-drafts/draft-mengwong
  -spf-01.txt
• Microsofts E-mail Caller ID
• http//www.microsoft.com/downloads/details.aspx?Fa
  milyID9a9e8a28-3e85-4d07-9d0f-6daeabd3b71bdispla
  ylangen
• Sender ID the merged E-mail Caller ID and SPF
• http//www.microsoft.com/presspass/press/2004/may0
  4/05-25SPFCallerIDPR.asp
• http//www.microsoft.com/presspass/press/2004/jun0
  4/06-24SIDSpecIETFPR.asp
• http//www.microsoft.com/mscorp/twc/privacy/spam_s
  enderid.mspx
• http//spf.pobox.com/wizard.html
• http//spftools.infinitepenguins.net/register.php
• http//www.dnsstuff.com/pages/spf.htm
• Yahoo! DomainKeys
• http//antispam.yahoo.com/domainkeys
• http//www.ietf.org/internet-drafts/draft-delany-d
  omainkeys-base-00.txt

24
Contact Info

• Ed Horley ed_at_tvnug.org

25
35 Years Since Man walked on the Moon!