Lately I’ve been getting a lot of spam/viruses bounced back to my email address. This means that spammers/viruses are using my address as the “from” address and sending them to bad email addresses. The server kindly bounces the message back to the “sender” saying that it couldn’t send “my” message to those addresses for some reason.
Here’s a copy of one email which was sent “from me” and bounced back:
Received: from bftaaijlh.net (sc210.172block.vegas.smartconnect.net [126.96.36.199]) by rly-yi02.mx.aol.com (v103.7) with ESMTP id MAILRELAYINYI21-7af41b06fb0258; Fri, 03 Dec 2004 08:52:52 -0500
Date: Fri, 03 Dec 2004 13:35:16 GMT
Subject: Mail Error
X-Priority: 3 (Normal)
Content-Type: multipart/mixed; boundary=”===f881ebb6094551″
You can find out more about interpreting all that header information at http://pctech.invisibill.net/emailsource.html. In this message, you can see that the mail was sent to an aol.com address. rly-yi02.mx.aol.com is the mail server that accepted the message. The message came from 188.8.131.52 which is calling itself sc210.172block.vegas.smartconnect.net. Sometimes that will be the actual DNS name linked to the IP address, sometimes it will be a name configured in the mail server.
Based on the subject and the fact that it has an attachment, I know that this email is not actually an error message, but an email virus pretending to be an error message in hopes that you’ll open the attachment. The mail server should have caught it as a virus and stopped it, or at least been smart enough to realize that it really didn’t come from me and therefore not “return” it to me.
I even have SPF set up for my domain. Basically, each domain can list all the servers allowed to send mail for that domain. Any server receiving mail with an invisibill.net “from” address can check against that list to see if the email is coming from a legitimate server. Apparently AOL isn’t doing that. It’s a bit late once you’ve already received the mail, but the SPF site has a script that sites can use so people can understand what’s happening and why. http://www.invisibill.net/spfcheck.php is a little script I made so people can check emails “from” invisibill.net against my SPF record. Just take the “Received: from” IP address of the email and enter it into that form. In this case, it’s 184.108.40.206. When you submit that in my form, you get this response:
InvisiBill rejected a message claiming to be from @invisibill.net.
InvisiBill saw a message coming from the IP address
sc210.172block.vegas.smartconnect.net; the sender claimed to be
invisibill.nethas announced using SPF that it does not send mail out through
220.127.116.11. That is why the mail was rejected.
Since you got the email, you know it wasn’t actually rejected by any mail system. However, that tells you that my SPF record says this email should be rejected. If your ISP had been checking incoming mail against SPF records, this mail would have been rejected.
If you use Mozilla Thunderbird for email, you can use the SPF Extension to automate this. When you view an email, you’ll see just above the Subject whether or not it passes SPF checks. Assuming you have a pretty standard mail system, it should just work, without you having to figure out IP addresses or submit forms or anything. As soon as you opened the email, you’d know that it really wasn’t from invisibill.net. That is, if Thunderbird’s spam filter didn’t already catch the email. =) With Thunderbird, you’re also immune to all the email viruses that take advantage of bugs in Outlook and Outlook Express.
Once again, remember that SPF isn’t designed to stop spam. It’s designed to verify that the email actually came from who it claims to. The “from” address on an email is like the return address on the envelope of postal mail. It’s not exactly hard to put something other than your own address there. SPF is sort of like checking to make sure that the postmark on the letter matches up with the listed return address. It’s very possible for a spammer to setup a domain and use the related mail server, or even to set up the SPF record to allow mail from any source. However, this should stop all the spam claiming to come from hotmail.com, aol.com, etc. It should also stop virus emails with spoofed senders and spam sent from hijacked “zombie” PCs, since those dynamic IP addresses most likely wouldn’t be in anyone’s SPF records.