SPAM Prevention Using DNS Solutions

1
SPAM Prevention Using DNS Solutions

• Implementing reverse domain name services (rDNS)
  and planning for SPF Classic
• Presented by Edward Horley
• Date October 2004

2
Overview

• SPAM prevention is the primary reason that rDNS
  and SPF Classic will become de jure within
  approximately 1-2 years (IETF ratified)
• Current methods for SPAM prevention are de facto
  solutions filtering, lists, etc.
• Possible future solutions for SPAM prevention are
  DomainKeys and Puzzle Solution
• Sender ID has been rejected by the IETF as a
  proposed standard (de jure) due to patented
  technology by Microsoft

3
Solutions Overview

• Current de facto solutions
• Blacklists (IP and DNS based)
• rDNS (optional)
• Anti-spam filtering (Bayesian and others)
• Anti-spam services (Brightmail, Postini,
  PUREmail, etc)
• Hardware appliance filters / services
• Custom built scripts and applications
• Sender Verification
• Whitelists
• SPF Classic (optional)

4
Solutions Used Today

• Blacklists
• SpamCop
• MAPS
• ORDB
• SPAMhaus
• Spews
• SURBL
• Mail-abuse
• DSBL
• DNSBL
• DNSRBL

• Client filters
• Audiotrieve InBoxer
• Cloudmark SpamNet
• Lyris MailShield
• McAfee SpamKiller
• Aladdin SpamCatcher
• Sunbelt IHateSpam
• SpamBayes (open source)
• Spam Bully
• MailFrontier Matador
• Cloudmark Spamnet

5
Solutions Used Today

• Server filters
• Exchange IMF
• XWall
• Vircom modusGate
• Sophos PureMessage
• Proofpoint Protection
• SurfControl
• Symantec
• Trend Micro
• GFI MailEssentials
• Sybari Antigen
• Network Associates
• SpamAssassin (open source)
• Declude JunkMail

• Hardware Appliances
• BorderWare MXtreme
• IronPort C60
• Barracuda 300
• Tumbleweed
• Subscription Services
• Brightmail
• Postini
• PUREmail
• Greenview Data
• Katharion

6
The Proposed Solutions

• Short term solutions
• Internet Engineering Task Force (IETF) draft
  rfcs
• Sender Policy Framework (SPF Classic)
• Sender ID (SPF Classic Caller ID) Microsoft
  draft rfc
• DomainKeys
• Long term solutions
• Internet Research Task Force (IRTF)
• New version / next generation of SMTP?

7
What to do now?

• SMTP mail gateway filters
• Consider a commercial service
• Software e-mail client filters
• Blacklists / Whitelists
• rDNS
• SPF Classic

8
What is rDNS?

• rDNS is an acronym for reverse DNS
• It is a method of name resolution in which an IP
  address is resolved into a domain name
• It is the opposite of the typical resolution
  method of DNS which resolves domain names into IP
  addresses
• It utilizes the existing DNS infrastructure by
  using a special reserved domain name
  in-addr.arpa.
• IP addresses are more specific left to right and
  domain names are more specific right to left,
  therefore the rDNS IP listings are reversed
• Example 63.251.192.20 would have a reverse entry
  of 20.192.251.63.in-addr.arpa.

9
Why you should do rDNS now

• Easy to implement
• Because spammers often use invalid IP addresses
  to send e-mails, rDNS will determine the
  authenticity of a domain name compared to the IP
  address from which it is originating
• It is used as one of several de facto methods to
  determine the likelihood of a server being a SPAM
  relay
• Most Internet Service Providers are using this to
  determine legitimate mail sources
• Reduces probability of legitimate mail servers of
  being added to a Blacklist

10
What is SPF Classic?

• SPF Classic is used to identify mail servers that
  are permitted to send mail for a particular
  domain
• Domain owners identify sending mail servers in
  DNS using TXT records
• SMTP receivers verify the envelope sender address
  against the DNS information and can distinguish
  legitimate mail servers before any message data
  is transmitted
• It is backward compatible with MTAs that are not
  patched with SPF filters or libraries

11
Why you should do SPF Classic now

• Easy to implement
• It is used by AOL, Symantec, EarthLink, Google
  and more as one of several de facto methods to
  determine trustworthiness of the mail sources
• Most Internet Service Providers are currently or
  starting to use this to determine legitimate mail
  sources
• Will move your mail to priority queues for
  processing for many providers including AOL
• Reduces probability of being added to a Blacklist
• Oct 1st ,2004 Microsoft, MSN and Hotmail will all
  start using Sender ID to prioritize incoming
  e-mail! (Sender ID is backward compatible with
  SPF Classic)

12
What to know about SPF Classic

• SPF Classic Email caller ID Sender ID
• Meng Wong created SPF Classic. It used to be
  called Sender Permitted From and was changed to
  Sender Policy Framework
• Meng Wong and Microsoft submitted a draft rfc
  merging both solutions and called it Sender ID
  was just turned down as a standard by the IETF
  due to Microsoft patent issues
• Designates specific SMTP servers as being
  authorized to send for a FQDN
• Uses the TXT fields in DNS to publish relevant
  information
• Each sub-domain must be configured specifically
• Will become de jure within approximately 1-2
  years most popular filters are flagging this
  already
• Most MTAs support SPF Classic or have plug-ins
  available
• Backward compatible with existing technology

13
What is coming in a few years

• DomainKeys
• A Yahoo! submitted draft rfc
• http//www.ietf.org/internet-drafts/draft-delany-d
  omainkeys-base-00.txt
• Basically public/private keys for authenticating
  client mail and the servers along the path
• Acts as a chain of custody from the source client
  machine to the destination client machine
• Will require a major re-write of all MTAs to
  work 5 to 10 years if at all
• Backward compatible with existing technology

14
What is coming continued

• Puzzle Solution
• Microsoft proposal
• Sending mail server has to perform time consuming
  calculation for each mail sent
• Assumes spammers cannot afford the computational
  costs to send out large bulk mailings
• Will require a major re-write of all MTAs to
  work 5 to 10 years if at all
• Backward compatible with existing technology

15
Future potential SPAM problems

• Disposable Domain Names
• Country Sanctioned Activity (Governments allowing
  for profit activity or turning a blind eye to
  problem spammers)
• Large Zombie Farms controlling clients with legit
  relay access (Think large University or corporate
  environments)
• Spyware agents that provide relay capabilities
  similar to Zombie configurations

16
How rDNS works
MX mx1.ispA.net -gt1.1.1.1
MX mx1.ispB.net -gt 2.2.2.2
ISP A
ISP B
Internet
PTR 1.1.1.1 -gt mx1.ispA.net PTR 2.2.2.2 -gt
mx1.ispB.net
17
How to request rDNS for sub /24 address blocks

• You will have to contact your ISP to request rDNS
  delegation do this via e-mail so you have a
  written trail of correspondence
• You will likely have to talk to several
  departments to figure out who can actually do
  this for you
• Typically, the DNS group handles the
  sub-delegation but not always sometimes it is
  the networking group
• You will need to be patient but firm inform
  them that you need it for Anti-SPAM reasons for
  your mail server

18
Setting up rDNS Delegation

• Example of 64.94.106.40/29 configuration by the
  provider
• ORIGIN 106.94.64.in-addr.arpa.
• zone delegation of 64.94.106.40/29
• 40-47. IN NS ns1.j2global.com
• 40-47. IN NS ns2.j2global.com
• 40. IN CNAME 40.40-47.106.94.64.in-addr.arpa.
• 41. IN CNAME 41.40-47.106.94.64.in-addr.arpa.
• 42. IN CNAME 42.40-47.106.94.64.in-addr.arpa.
• 43. IN CNAME 43.40-47.106.94.64.in-addr.arpa.
• 44. IN CNAME 44.40-47.106.94.64.in-addr.arpa.
• 45. IN CNAME 45.40-47.106.94.64.in-addr.arpa.
• 46. IN CNAME 46.40-47.106.94.64.in-addr.arpa.
• 47. IN CNAME 47.40-47.106.94.64.in-addr.arpa.

19
Setting up the rDNS Zone

• Example of 64.94.106.40/29 configuration on
  hosting rDNS server
• ORIGIN 40-47.106.94.64.in-addr.arpa.
• zone delegation of 64.94.106.40/29
• _at_ IN NS ns1.j2global.com.
• _at_ IN NS ns2.j2global.com.
• _at_ IN TXT "j2 Global Communications, Inc."
• 40 IN PTR 64.94.106.40.efax.com.
• 41 IN PTR 64.94.106.41.efax.com.
• 42 IN PTR 64.94.106.42.efax.com.
• 43 IN PTR 64.94.106.43.efax.com.
• 44 IN PTR 64.94.106.44.efax.com.
• 45 IN PTR 64.94.106.45.efax.com.
• 46 IN PTR 64.94.106.46.efax.com.
• 47 IN PTR 64.94.106.47.efax.com.

20
Checking the rDNS Zone

• Example of checking the 64.94.106.40/29
  configuration
• ltltgtgt DiG 2.1 ltltgtgt _at_206.13.31.12
  40.106.94.64.in-addr.arpa. PTR
• (1 server found)
• res options init recurs defnam dnsrch
• got answer
• -gtgtHEADERltlt- opcode QUERY, status NOERROR,
  id 10
• flags qr rd ra Ques 1, Ans 2, Auth 2,
  Addit 0
• QUESTIONS
• 40.106.94.64.in-addr.arpa, type PTR, class
  IN
• ANSWERS
• 40.106.94.64.in-addr.arpa. 43200 CNAME 40.40-47.10
  6.94.64.in-addr.arpa.
• 40.40-47.106.94.64.in-addr.arpa. 86400 PTR 64.94.1
  06.40.efax.com.
• AUTHORITY RECORDS
• 40-47.106.94.64.in-addr.arpa. 86400 NS ns2.j2globa
  l.com.
• 40-47.106.94.64.in-addr.arpa. 86400 NS ns1.j2globa
  l.com.
• Total query time 48 msec
• FROM us.mirror.menandmice.com to SERVER
  206.13.31.12
• WHEN Tue Jul 20 012009 2004

21
How SPF Classic works
MX mx1.ispA.net -gt1.1.1.1 TXT "vspf1 a mx -all"
MX mx1.ispB.net -gt 2.2.2.2 TXT "vspf1 a mx
-all"
ISP A
ISP B
Internet
TXT vspf1 a mx all MX mx1.ispA.net A
mx1.ispA.net -gt 1.1.1.1
22
Setting up SPF Classic

• Configuration of example.com SPF
• ORIGIN example.com.
• Leaving out the SOA info for space reasons
• NS records
• _at_ IN NS ns1.example.com.
• _at_ IN NS ns2.example.com.
• MX records
• _at_ IN MX 10 mx1.example.com.
• _at_ IN MX 20 mx2.example.com.
• A records
• mx1 IN A 1.1.1.1
• mx2 IN A 2.2.2.2
• TXT SPF records
• _at_ IN TXT "vspf1 a mx -all"
• mx1 IN TXT "vspf1 a -all"
• mx2 IN TXT "vspf1 a -all"

23
Register your SPF domain

• Once you have configured SPF for your domain you
  should register it at
• http//spftools.infinitepenguins.net/register.php
• Then put the logo on your site!

24
Testing SPF Classic

• Testing of example.com SPF
• http//www.dnsstuff.com/pages/spf.htm
• Dummy Sample Output from dnsstuff
• SPF lookup of sender droid_at_example.com. from IP
  1.1.1.1
• SPF string used vspf1 mx -all. ? Obtained the
  TXT record via DNS for example.com
• Processing SPF string vspf1 mx -all. ?
  Checking against the TXT record
• Testing 'mx' on IP1.1.1.1, target domain
  example.com, CIDR 32, defaultPASS. MATCH!
• Testing 'all' on IP1.1.1.1, target domain
  example.com, CIDR 32, defaultFAIL.
• Result PASS

25
Impact on the Internet

• These solutions will help reduce overall
  architecture problems of Authentication,
  Authorization, and Accounting with e-mail (back
  to AAA)
• 68B e-mails daily of which approx. 42.8B are spam
  or 69 spam!1
• Estimated 1,400 annual savings per employee from
  lost productivity currently due to spam2
• 1 The Radicati Group and Brightmail
• 2 - Vircom

26
Questions and Answers
27
Resource Links

• rDNS
• http//www.ietf.org/rfc/rfc2317.txt
• http//www.ietf.org/rfc/rfc2505.txt
• http//www.arin.net/registration/lame_delegations/
  index.html
• http//kbase.menandmice.com/view.html?rec31
• http//www.microsoft.com/windows2000/techinfo/resk
  it/en-us/default.asp?url/windows2000/techinfo/res
  kit/en-us/cnet/cncf_imp_dewg.asp
• http//dedicated.sbcis.net/customer_support/dns_wo
  rksheet.html
• http//dedicated.sbcis.net/customer_support/revers
  e_delegation.html
• DNS tools
• http//www.dnsstuff.com/
• http//us.mirror.menandmice.com/cgi-bin/DoDig
• http//network-tools.com/
• http//www.squish.net/dnscheck/
• http//www.dns.net/dnsrd/tools.html
• http//www.dnsreport.com/
• http//www.samspade.org/t/
• General references

28
Resource Links

• Meng Wongs SPF
• http//spf.pobox.com/howworks.html
• http//spf.pobox.com/rfcs.html
• http//spf.pobox.com/wizard.html
• http//www.ietf.org/internet-drafts/draft-mengwong
  -spf-01.txt
• Microsofts E-mail Caller ID
• http//www.microsoft.com/downloads/details.aspx?Fa
  milyID9a9e8a28-3e85-4d07-9d0f-6daeabd3b71bdispla
  ylangen
• Sender ID the merged E-mail Caller ID and SPF
• http//www.microsoft.com/presspass/press/2004/may0
  4/05-25SPFCallerIDPR.asp
• http//www.microsoft.com/presspass/press/2004/jun0
  4/06-24SIDSpecIETFPR.asp
• http//www.microsoft.com/mscorp/twc/privacy/spam_s
  enderid.mspx
• http//spftools.infinitepenguins.net/register.php
• http//www.dnsstuff.com/pages/spf.htm
• Yahoo! DomainKeys
• http//antispam.yahoo.com/domainkeys
• http//www.ietf.org/internet-drafts/draft-delany-d
  omainkeys-base-00.txt

29
About Ed Horley

• Edward Horley is a Sr. Network Engineer for j2,
  better known as eFax. Ed currently designs,
  supports and maintains j2's 56 international and
  domestic collocation sites along with j2's core
  data center IP infrastructure. He is experienced
  in e-commerce web content delivery, large scale
  e-mail delivery, firewalls, IPSec VPN's, and
  specializes in routing and switching. Ed is a
  Cisco Certified Network Professional (CCNP), a
  Microsoft Certified Professional (MCP) and a
  Microsoft Most Valuable Professional (MVP).
• When he is not playing on network gear you can
  find him out on the lacrosse field as an Umpire
  for Women's Lacrosse. He is currently married to
  his wonderful wife Krys and has two children,
  Briana and Aisha. He lives and works in Walnut
  Creek, CA.

30
Contact Info

• Ed Horley ehorley_at_gmail.com