Musings from a small IPP

The scourge of the Internet is SPAM mail.  So much rubbish arrives each day — it is a major part of the service we offer to our customers that we block tag and pre-file most of it for them, so they can (we hope) have uncluttered real communication.

With our efforts to clean-up what comes in goes a responsibility to keep the outgoing stream of mail clean.  In general we trust our customers to keep their anti-virus up-to-date but there remains a risk of their computer becoming infected in some way, or worse becoming part of a bot-net (q.v.). We would expect to notice if their sending pattern suddenly changed, and we require an authenticated connection before we will forward mail.

Many domestic market ISPs will intercept IP port 25 traffic — mail traffic — for just this reason — they don’t want to be seen as hosters of SPAM.  As we’re not in the local loop business we are set up to accept outgoing mail on Port 587 (submit) which lets our customers bypass the blocks on port 25 and get their mail out from the right place, and lets our anti-spam software take note of their correspondent’s addresses to facilitate the replies.  Our customer’s SPF records have a clause include:oa5.com to allow their mail to come from our servers.

This leads on to some thoughts about SPF and ISP relayed mail.  There are really three cases that spring to mind

1. The user has their mail in the ISP’s domain eg aol, waitrose, tiscali, and does not use their own domain
2. The user has their own domain, but actively uses the ISP’s mail servers to handle the outgoing traffic
3. The user has their own domain, and their own mail server, but the ISP actively intercepts outgoing traffic on port 25 to mediate for SPAM

Cases where the ISP is not involved are not interesting here.

Case 1 is just for the ISP. If the ISP is at all concerner for its reputation it will set up appropriate SPF records to prevent its own, and its customer’s mails being spoofed.

Case 2 is more interesting for the concerned domain owner.  If the ISP has an SPF record, that can be pulled into the domain’s own SPF record with an ‘include:‘ clause.  Absent that ISP record though; the domain owner has two choices:

• Do without an SPF record – or –
• Run a full mail server, and deliver mail directly

as there is no way for the customer to enumerate the ISP’s outgoing mail servers.

The third case is even more interesting in it’s own way.  The ISP is doing something that in Britain should be restricted by RIPA (The Regulation of Investigatory Powers Act otherwise known as the official snoopers charter).  By interposing itself as a relay the ISP is breaking the customer’s SPF configuration, and so needs to run the Sender Rewriting Scheme on the outgoing messages to enable them to be delivered.

I don’t think any do.

Eh wazzat? Well I suppose most of you haven’t heard about it, or if you have it’s probably in the negative context of someone’s mail not getting to you…

What is SPF then?

SPF is a nice easy way for the owners of say mybank.biz to say where they send e-mails from.  Of itself that doesn’t sound too exciting.  Well no, except it has an interesting consequence.  If mybank.biz only sends email from mailout.mybank.biz then when your ISP gets mail which says it is from security@mybank.biz on a connection from phish.ripoff.crime your ISP knows it can throw that mail away and never bother you with it.

Sounds good, so all the banks use SPF then?

Nice thought, a few responsible ones do.  Mostly they don’t yet.  You might have a good argument about negligence if you got caught out, and it turns out your bank does not, while your ISP does check for you.  Some of the (financially) important internet sites like E-Bay do  protect their customers and themselves in this way.  Others use it just to avoid being accused of distributing SPAM or viruses

So something must break, or everyone would have it

Well spotted.  When the institution the mail comes from has SPF you can’t have an alias somewhere that forwards the e-mail to you, unless the ISP offering that alias is really switched on, because the machine doing the forwarding is not on the sender’s list of allowed sending machines.  We can do it at OA5, but it is significantly more work, so we would rather not, thank you.

The other thing that affects people whose institution has SPF is a common mistake on some web sites.  Those sites think they’re allowed to use your email address as the sender when they’re sending to you.  They should of course be sending from their own address and only using your address as recipient of the mail they’re sending.  Responsible sites who know what they’re doing don’t do this to start with, or quickly change when the problem is pointed out to them.

What about my Blackberry?  That sends mail from the phone company’s machines, will I get blocked?

Blackberry and the phone companies know about SPF, and use the distinction between the Sender address and the From address to be able to deliver your mail.

At OA5.com we set up SPF for our customer’s domains

Last Wednesday Sweden went live with it’s anti file sharing law. This enables the content owners to demand tracebacks to those serving, and those downloading copyright material.

The traffic at the main swedish internet exchange dropped to 2/3 Tuesday’s value, so a significant cost saving you might think. It isn’t really though as Internet traffic volume is essentially fractal over time with huge peaks and troughs.

The interesting thing will be to see how CD/DVD sales and legitimate download volumes change. I’ll also be interested to see how often legitimate users of bit-torrent are falsely accused when they fetch a fresh CentOS distribution