Welcome to MSDN Blogs Sign in | Join | Help

Terry Zink's Anti-malware Blog

Protecting your mail from the scum of the internet
Found some spammers today with SPF records set up

I came across some spam in my inbox today.  This company was pushing pump-and-dump stock spam for a medical company.  I saw that the company passed an SPF check.  That's odd, I thought.  A spammer passing an SPF check?  So, I decided to check out the SPF records:

dig txt watammatau.com

;; ANSWER SECTION:
watammatau.com.         1800    IN      TXT     "v=spf1 +all

 Sure enough, this spammer has set up a site and complied with SPF; they've set up a record simply for the sake of setting up a record.  Not that it helps them or anything, but it looks like they've set up a record for the sake of setting up a record.

Posted: Friday, September 07, 2007 1:39 PM by tzink

Comments

Mike said:

It's not, "odd." Spammers were the first people to adopt the usage of SPF

# September 8, 2007 8:33 AM

Another Mike said:

Despite this, SPF actually is useful (not as the ONLY tool) if it used PROPERLY. In other words, SPF is good when checking "spamminess" alongside other tools, not just using it as the sole measure of canned-meatness.

Compare this blog entry:

http://www.avertlabs.com/research/blog/index.php/2007/09/10/spammers-got-a-free-pass/

# September 15, 2007 1:18 PM

Jeff Macdonald said:

Terry, forward that message to a Hotmail account. I'm curious what it would show.

# September 19, 2007 2:51 PM

Ram said:

Now these spammers are the easiest to catch.

If SPF passes for a mail and is sure spam. Blacklist the domain.

Automate the process with some whitelists for gmail,msn etc  and you can block a lot of spam at the gate

# January 17, 2008 10:02 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 

  
Enter Code Here: Required

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Page view tracker