> On Jul 11, 2016, at 2:16 PM, CarlC Internet Services Service Desk > <ab...@carlc.com> wrote: > I know a few years ago, I did have a few customers this happened to. We had > to disable the catch-all and instead, set it to bounce-no-mailbox. When we > did that, the spammers stopped trying to use the domain as a “from” address > [and yes, SPF records made no difference… it was the open catch-all that led > the spammers to use the domain as a “from” address].
Can’t resist sticking in my 2c here. I really have no idea how an open catch-all would make a domain attractive to spammers, but let’s leave that aside for now. As for SPF, the situation is a bit complicated. I have several domains that — at one time — were set up with SPF records that permitted any host to send email with that domain in the ‘From’ line (I had to have things that way because I was supporting mobile users). Spammers picked up two of these domains and added them to their list of ‘domains to use when forging From lines’. Ever since, every few months, I see a flood of backscatter to those two domains. It peaks, then dies away as the spammer switches to other domains. It’s always just those two domains: other domains that used to have similarly permissive settings have not been abused. And domains with more restrictive SPF settings have not been abused. I eventually changed the domains to use much less permissive SPF settings. Those domains are now only authorized for a single mail server. Hasn’t changed a thing: every few months, the backscatter flood resumes. Things I conclude: 1. Restrictive SPF records _do_ discourage spammers from forging that domain in their ‘From’ lines. 2. Spammers _will_ forge domains with permissive SPF records, but they choose them arbitrarily. 3. Once a spammer has added your domain to their list, they will continue forging mail from that domain until the Heat Death of the Universe, irrespective of the SPF settings. Spammers never revise their domain lists any more than they revise their target email lists. 4. A very large number of recipient hosts ignore SPF when deciding whether to bounce mail or not. In other words, they don’t look at the SPF record and say “Hmm, this message says it comes from f...@bar.com, but bar.com’s SPF record says that IP isn’t authorized to send mail. No point sending a bounce message that’ll only annoy r...@bar.com.” Instead they just say “Can’t deliver? Bouncey bouncey bounce!” 5. Bonus observation: there is not a single ISP on the planet that gives a shit about whether a domain that they host is being advertised by spam sent with someone else’s domain in the ‘From’ line. Don’t even bother. This is not a scientific study, and the plural of anecdote is not data. Nevertheless, this is what I have observed. Angus
