Computer Associates, IT Security Trends, Report 2004/05 für Medienschaffende 18. November 2004, SWX Swiss Exchange, Zürich SPAM

Transcription

1 Computer Associates, IT Security Trends, Report 2004/05 für Medienschaffende 18. November 2004, SWX Swiss Exchange, Zürich SPAM Prof. Dr. P. Heinzmann cnlab Information Technology Research AG & HSR Hochschule für Technik Rapperswil Referenzen: Mike Spykerman, Typical spam characteristics - How to effectively block spam and junk mail, White Paper, Red Earth Software. Spamming countermeasures: 005c.shtml Howto gegen Schweizer SPAM: Michael Heuberger, Spamming Spamming the Internet, Hochschule Rapperswil, I-Seminar, SS Matthias Rambold, Wie wird SPAM bekämpft?, Hochschule Rapperswil, I- Seminar, WS 2001/02. Adrian Ruoss, Christian Höhn, SPAM Distributed Content Checking Honeypots, Hochschule Rapperswil, Studienarbeit Abt. Informatik, WS2004/05. 1

2 2

3 Outline Wer macht das Geschäft mit SPAM? Wie finde ich die Spammer? ( Details) Wie wehrt man sich gegen SPAM? (SPAM Abwehrmassnahmen)

4 Wie werde ich Millionär? Schon vor 40 Jahren waren in Schweizer Zeitungen Inserate für Anleitungen Wie werde ich Millionär? nach Einsendung einiger Franken erhältlich. Die lapidare Antwort bzw. Anleitung lautete machen Sie s wie ich! 4

5 200 known Spam Operations ( professional spammers) responsible for 90% of your spam operate 'offshore' using servers in Asia and South America spammer listed in ROKSO if terminated by a minimum of 3 consecutive ISPs for AUP violations spammers IP addresses are automatically sent to Spamhaus Block List ROSLO assists ISP Abuse Desks Law Enforcement Agencies (with special, sensitive information version) The Register Of Known Spam Operations (ROKSO) database collates information and evidence on the known spammers and spam gangs, to assist ISP Abuse Desks and Law Enforcement Agencies. 90% of spam received by Internet users in North America and Europe can be traced via redirects, hosting locations of web sites, domains and aliases, to a hard-core group of around 200 known spam operations. These spam operations consist of an estimated professional spammers loosely grouped into gangs ("spam gangs"), the vast majority of whom are operating illegally. Many of these spam operations pretend to operate 'offshore' using servers in Asia and South America to disguise the origin. Those who don't pretend to be 'offshore' pretend to be small ISPs themselves, claiming to their providers the spam is being sent not by them but by their nonexistent 'customers'. Some set up as fake networks, pirate or fraudulently obtain large IP allocations from ARIN/RIPE and use routing tricks to simulate a network, fooling real ISPs into supplying them connectivity. When caught, almost all use the age old tactic of lying to each ISP long enough to buy a few weeks more of spamming and when terminated simply move on to the next ISP already set up and waiting. ROKSO is a "3 Strikes" register: To be listed in ROKSO a spammer must first be terminated by a minimum of 3 consecutive ISPs for Access User Policy (AUP) violations. IP addresses under the control of ROKSO-listed spammers are automatically and preemptively listed in the Spamhaus Block List (SBL). For Law Enforcement Agencies there is a special version of this ROKSO database which gives access to records with information, logs and evidence too sensitive to publish here. 5

6 CREATIVE MARKETING ZONE Alain Ralsky (SPAM King) Aliases: Jeff Kramer, Additional Benefits, Creative Marketing Zone Inc, Sam Smith, William Window, : couple of mailing lists, making $6,000 a week 2001: Creative Marketing Zone, Inc., Nevada 2002: 250 million valid addresses 0.25% response rate 0.75% of mails opened (hidden notification code) 89 Million people have opt-out (between 1997 and 2002) up to $22,000, for single mailing to entire database stealth spam (Romanian program), detect computers that are online and then flash them a pop-up ad 2004: Hundreds of domains: aboutchpecha.com, Some statements from Alain Ralsky (Mike Wendland: Spam king lives large off others' troubles, November 22, and "I've gone overseas," he said. "I now send most of my mail from other countries. And that's a shame. I pay a fortune to providers to do this, and I'd much rather have it go to American companies. But I have to stay in business, and if I have to go out of the country, then so be it." The computers in Ralsky's basement control 190 servers located in Southfield, 50 in Dallas and 30 more in Canada, China, Russia and India. Each computer, he said, is capable of sending out 650,000 messages every hour -- more than a billion a day -- routed through overseas Internet companies Ralsky said are eager to sell him bandwidth. "I'll never quit," said the 57-year-old master of spam. "I like what I do. This is the greatest business in the world." It's made him a millionaire, he said, seated in the wood-paneled first floor library of his new house. "In fact," he added, "this wing was probably paid for by an I sent out for a couple of years promoting a weight-loss plan." In 1997 he bought a couple of mailing lists from advertising brokers and, with the help of the computers, launched a new career that soon was making him $6,000 a week. Ralsky said he includes a link on each he sends that lets the recipient opt out of any future mailings. He said 89 million people have done just that over the past five years, and he keeps a list of them that grows by about 1,000 every day. That list is constantly run against his master list of 250 million valid addresses. The response rate is the key to the whole operation, said Ralsky. These days, it's about one-quarter of 1 percent. Ralsky makes his money by charging the companies that hire him to send bulk a commission on sales. He sometimes charges just a flat fee, up to $22,000, for a single mailing to his entire database. Ralsky has other ways to monitor the success of his campaigns. Buried in every he sends is a hidden code that sends back a message every time the is opened. About three-quarters of 1 percent of all the messages are opened by their recipients, he said. The rest are deleted. Ralsky, meanwhile, is looking at new technology. Recently he's been talking to two computer programmers in Romania who have developed what could be called stealth spam. It is intricate computer software, said Ralsky, that can detect computers that are online and then be programmed to flash them a pop-up ad, much like the kind that display whenever a particular Web site is opened. "This is even better," he said. "You don't have to be on a Web site at all. You can just have your computer on, connected to the Internet, reading or just idling and, bam, this program detects your presence and up pops the message on your screen, past firewalls, past anti-spam programs, past anything. 6

7 SPAM... Mass Mailing Angebote auf ebay SPAM Mass Mailing Angebote sind beispielsweise auf ebay zu finden. Gelegentlich findet man dort auch SPAM bot Angebote. 7

8 Type of Spam Categories (% of total Spam) Other; 3% Spiritual; 4% Leisure; 6% Products; 25% Internet; 7% Health; 7% Scams; 9% Financial; 20% Adult; 19% 2003: The 2003 statistics were derived from a number of different reputable sources including: Google, Brightmail, Jupiter Research, emarketer, Gartner, MailShell, Harris Interactive, and Ferris Research. Worst of the Spam - Sporn - How well does the filter support the blocking of sporn or spammed pornography? Does it allow you to block all pornography and/or adult themes? Does it allow you to view quarantined without viewing any of the pornographic i? As much as 8% of all is pornographic in nature, what we at Spam Filter Review call Sporn or spammed pornography. 8

9 "419" Scam (Advance Fee Scam) Nigeria or West African Scam large sum of money sitting in a bank account making payments through you to us At some point, the victim is asked to pay up front an Advance Fee of some sort Fake Lottery Scam (Elgordo Lottery Madrid, Microsoft Lottery) you have therefore been approved for a lump sum pay out of US$ 500, To file for your claim, please contact Ghana Gold Scam prepared to provide quantities of up to 400 kilograms of 22.karat alluvial gold monthly offer the quantity of gold required to the Buyer [or their representative] upon their arrival here in Accra kindly contact me at the numbers listed above The so-called "419" scam (aka "Nigeria scam" or "West African" scam) is a type of fraud named after an article of the Nigerian legal code under which it is prosecuted. Most "normal" spam uses bogus sender addresses. For 419 spam existing mailboxes at legitimate mail providers are used. When such mailboxes get cancelled for abuse, often similarly names mailboxes are created at the same provider. Most 419 scams originate from about a dozen fre er domains (netscape.net, yahoo.com/yahoo.*, tiscali.co.uk, libero.it, telstra.com, bigpond.com, indiatimes.com, 123.com (Chile), zwallet.com, fsmail.net, hotmail.com, etc., see addresses by domain). A small minority uses throw-away domains registered via MSN (see example), Rediffmail, XO/Concentric, Yahoo/Geocities or other webhosters (ns.sign-on-africa1.net) as the sender instead of a fre er service, particularly for fake companies and fake banks (e.g. firstcapitalft.com)

10 Nigeria Portal mit Scams and Frauds Beispielen (Nigeria Mail): When fraud, 419 or scams come up anywhere on the internet Nigeria will be mentioned even when the particular fraud, 419 or scam has nothing to do with Nigeria. This image that we have cut for ourselves through our actions and inactions isn't the best and that image we must change through our collective effort if we must be accorded our due respect and%20frauds 10

11 Info Grabber Personal Information (Addresses) Credit Card Information Banking Information (Phishing) Spyware / Trojan Installation Keyboard logger Bots(Zombies)

12 Cheap Rolex? Lockvogelangebote für Rolex-Uhren, Windows Software, Wettbewerbe, Gefälschte Bestellung, mit falscher MC Nummer und Junk am abgeschickt: Keine Verschlüsselung Falsche Kreditkartennummer nicht detektiert Keine -Bestätigung für die Bestellung wahrscheinlich geht es nur darum, Kreditkarten- und Personen Informatinen zu sammeln. 12

13 1. Spoof (Spam) Phishing Real site 3. Spoofed Web Site 2. Camouflaged Hyperlink Fake Pop-Up <A HREF= Ref. Gartner Group, Cannes 2004 Phishing is a spam-based scam that has grown in popularity. Phishing is not a "cyberattack," such as propagating malicious code. It is a social-engineering attack, in which attackers (or "phishers") trick users into doing something that will harm them or their companies. The phisher sends an message that looks like it comes from a legitimate source for example, an online merchant. In many cases, the message states that there is a problem with the user's account and requests that the user confirm the merchant's information by entering sensitive account information (such as a credit card number, address, user name and password) into the phisher's Web site, which resembles the merchant's site. Using this information, the phisher can steal access to the account or perpetrate identity fraud. In addition, phishing could provide attackers with access to an organization's internal systems, but it is used for identity theft in most cases. 13

14 Botnet Providing networks of zombie PCs used anonymous relays for spam to launch denial of service attacks on websites to steal confidential information about a PC's owner More than PCs per day are being taken over to spread spam and viruses (bot nets peak of new recruits was in one day) Windows viruses were detected in the first six months of 2004 October 5, 2004, Spy Act The new recruits per day peak in 2004 is due to a battle between the MyDoom and Bagle virus teams. October 5, 2004, the U.S. House of Representatives passed a bill to criminalize the act of altering PC configurations (Spy Act ), taking control and downloading software onto a PC without the owner's consent: By a vote, House members approved legislation prohibiting "taking control" of a computer, surreptitiously modifying a Web browser's home page, or disabling antivirus software without proper authorization. The Spy Act would also create a complicated set of rules governing software capable of transmitting information across the Internet. It would give the Federal Trade Commission authority to police violations of the law and to levy fines of up to $3 million in the most pernicious cases. 14

15 Sendmails Corp offers members $5 for downloading and installing the company's VirtualMDA (mail delivery agent) software pay an additional $1 for every hour of computing time that the VirtualMDA software spends blasting out s on behalf of Sendmails and its clients After downloading and analyzing the VirtualMDA software last week, Jones said he concluded that Sendmails' "primary reason for doing that service is so their clients' IP addresses don't get blocked by all the spam lists. Instead, all these cable-modem users who install the software get banned." VirtualMDA was developed as a result of marketing companies not being able to get delivered," said Haberstroh. "We were sequestered by a rather large Fortune 1000 company to create an deployment service that would basically get their delivered to the recipients whose addresses they were paying for." VirtualMDA was developed as a result of marketing companies not being able to get delivered," said Haberstroh. "We were sequestered by a rather large Fortune 1000 company to create an deployment service that would basically get their delivered to the recipients whose addresses they were paying for." Haberstroh, VirtualMDA, Sendmails and its parent company, Atriks, have not managed to keep themselves off the Spamhaus Register of Known Spam Operations. Run by a British nonprofit, the online directory contains hundreds of records of suspected spammers. 15

16 Beagle_J Mass Mailing Worm Attachment Backdoor SMTP / HTTP File Sys Beagle_J is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through . Sends the attacker the port on which the backdoor listens, as well as the IP address. Attempts to spread through file-sharing networks, such as Kazaa and imesh, by dropping itself into the folders that contain "shar" in their names. 16

17 IP-Adressen von infizierten Rechnern verkaufen : C t Redaktion kauft bei Virenverbreitern ein Trojaner auf tausenden Rechnern installiert (Virus "Randex" ) Nimmt per Chat-Protokoll IRC Kontakt zu seinem "Master" auf. empfängt Befehle wie etwa, nach CD-Keys von Spielen suchen vom infizierten System aus SYN-Flood-Attacken starten weitere Software nachladen (z.b. zur Weiterleitung von Spam) verbreitet sich über den Windows-Verzeichnisdienst insbesondere in Sub-Netzen weiter Ferngesteuerte Spam-Armeen, Nachgewiesen: Virenschreiber liefern Spam- Infrastruktur, c't 5/04, S. 18. URL dieses Artikels: Links in diesem Artikel: [1] [2] [3] [4] [5] [6] [7] 17

18 an cnlab.ch Mail 3% unerkannte SPAM 3% Falsche Empfänger 30% erkannte SPAM 53% Viren 11% Juni

19 Mail auf dem Setziertisch 19

20 Electronic Mail ( ) Server 1 Internet Router Server 3 Bob@bbb.ch Mail Client Host 1 Router Send Server Host 1 Router Router Receive Server Send Server Host 1 bbb.ch aaa.com Router Relay Server An open mail relay occurs when a mail server processes a mail message where neither the sender nor the recipient is a local user. In this example, both the sender and the recipient are outside the local domain (or rather, the local IP range, for the technically inclined). The mail server is an entirely unrelated third party to this transaction. The message really has no business passing through this server. The legitimate use of a mail relay is threatened by influx of spam originating from a third party, the spammer. Abuse occurs when massive amounts of mail are relayed through an otherwise unrelated server. Most such abusive sessions are initiated by junk ers - the so-called spammers - attempting to covertly distribute their unwanted messages all over the Internet. In the past, third party mail relaying was a useful tool. These days, thanks to the spammers, open mail relays pose a significant threat to the usefulness of . ORDB.org is the Open Relay Database. ORDB.org is a non-profit organisation which stores a IP-addresses of verified open SMTP relays. These relays are, or are likely to be, used as conduits for sending unsolicited bulk , also known as spam. By accessing this list, system administrators are allowed to choose to accept or deny exchange with servers at these addresses. 20

21 Typical Server Setup Externer Mail Gateway Interner Mailserver (Exchange Server) Antivir Mailgate (port 25) SMTPD (port 2225) Spamassassin queue qmail McAffee WebShield (port 2525) Exchange (port 25) Group Shield SMTP Outlook Client Junkmail VirusScan Antivir Mailgate macht Relay Check und Virencheck (Mails mit Viren werden gelöscht) Spamassassin kennzeichnet Mails, welche als Spam klassiert werden Zweiter VirenScanner (McAffee) detektiert Viren, welche von Antivir nicht gefunden wurden (z.b. aufgrund unterschiedlich aktueller Virensignatur-Files) GroupShield untersucht Exchange Store bzw. bereits empfangen Mails (welche beispielsweise angekommen sind, bevor die Virensignaturen bekannt waren) Es wäre durchaus sinnvoll, Spam- und Virenchecking auch für ausgehende Mails zu machen: Spam-Filter Training mit guten Mails Alarmierung bei echten Mails, welche als SPAM detektiert würden Interne Spammer detektieren Verhindern, dass Viren nach aussen gesendet werden 21

22 Mail message format RFC 822: standard for text message format SMTP-Envelope (written by servers) RCPT To: header lines To: From: Subject: body the message, ASCII characters only Envelope Mail From: DATA header body blank line Die Header-Informationen werden beim normalen Client vom Client- Programm an den SMTP Prozess übergeben. D.h. beim Versand einer normalen werden die Adressen, die im Mailprogramm des Absenders in die Felder "To:" und "CC:" eingetragen wurden, nicht nur zur Generierung dieser beiden Headerzeilen benutzt, sondern auch beim SMTP-Dialog als "RCPT TO:" und Mail From: auf den Umschlag übertragen. Die Envelope enthält die für die Zustellung einer relevanten Informationen, welche vor allem durch die Mail- Server interpretiert werden. Dem Client interessieren die Envelope-Informationen in der Regel nicht. Allerdings werden manchmal gewisse Daten aus der Envelope in den Header übertragen. 22

23 Mail header additions by involved SMTP servers Each SMTP recipient adds his Domain Name (with IP Address) and a Time Stamp to the Mail Header sky.itr.ch (SMTP/POP Server) mail.iprolink.ch (SMTP Server) tslzgp157.iprolink.ch (Mail Client/SMTP) These stamps are placed on the envelope of the mail by each SMTP server. The SMTP/ESMTP IDs as well as the time stamp have local significance only (i.e. it is just the local time of the corresponding server). [see also 23

24 Return-Path: Received: from mx3.gmx.example [ ]) by ancalagon.rhein-neckar.de (8.8.5/8.8.5) with SMTP id SAA25291 for Thu, 16 Sep :36: (MET DST) Received: (qmail 1935 invoked by alias); 16 Sep :36: Delivered-To: GMX delivery to Received: (qmail invoked by uid 0); 16 Sep :36: Received: from pbox.rz.rwth-aachen.example ( ) by mx3.gmx.example with SMTP; 16 Sep :36: Received: from post.rwth-aachen..example (slip-vertech.dialup.rwth-aachen.example [ ]) by pbox.rz.rwth-aachen.example (8.9.1/8.9.0) with ESMTP id RAA28830 for Wed, 16 Sep :35: Message-ID: Date: Wed, 16 Sep :33: From: Heinz-Gustav Hinz Organization: RWTH Aachen X-Mailer: Mozilla 4.05 [de] (Win95; I) To: Karl-Heinz Schmitt MIME-Version: 1.0 Content-Type: text/plain; charset=iso Content-Transfer-Encoding: quoted-printable Subject: Re: Hallo Nachbar! References: Reply-To: X-Resent-By: Global Message Exchange X-Resent-For: X-Resent-To: Die Return-Path Zeile sollte, wenn sie existiert, ganz am Anfang der stehen. Sie enthält den Envelope-From (also die Absenderangabe aus dem SMTP-Umschlag). Diese kann allerdings bei SMTP beliebig angegeben werden. Die "eigentlichen" Zustellvermerke sind die "Received:"- Headerzeilen, die jeweils vor dem Weiterschicken einer vom Mailserver vorne angefügt werden. Die oberste "Received:"- Zeile wurde vom eigenen Mailserver (bzw. dem des Providers) erzeugt. Eine "Received:"-Zeile gibt immer an, wer die Mail von wem empfangen hat. Gewisse Received-Zeilen können je nach verwendetem Mail- Server sehr speziell aussehen (vgl. Received: (qmail...) und Delivered-To: GMS..., bei welchen es sich um eine Spezialität des GMX-Mailers handelt. Die Message-ID ist eine eindeutige Kennung der (vergleichbar einer Seriennummer). Sie sollte aus einer unverwechselbaren Zeichenfolge vor dem (meistens Datum und Benutzerkennung in einer kodierten Form) und einem Rechnernamen hinter dem bestehen. Häufig wird die Message-ID bereits vom Mailprogramm des Absenders erzeugt; ansonsten tragen die meisten Mailserver sie nach, soweit sie fehlt. Alle mit "X-" beginnenden Headerzeilen sind nicht standardisiert und können von verschiedenen Programmen (oder auch Benutzern) beliebig eingefügt werden. 24

25 Anzeigen von Header Informationen Outlook Express 4, 5, & 6 (Windows) While viewing the message, click the File menu, then click Properties. On the Details tab, you will need to right click, choose select all (this should highlight all the text). Then right click again, and choose copy. You must then paste the headers into the forwarded message (click the Edit menu, then choose Paste) Microsoft Outlook 98 & 2000 (Windows) Double click the message to open it in a new window. Go to the View menu and choose Options. Copy the text in the Internet Headers window by right clicking and choosing Select All, then right clicking again and choosing Copy. Then paste the headers when you forward the message (click the Edit menu and choose Paste). Netscape Mail & News (Win, Linux & Mac) Click the Options menu, choose Show Headers, then select All. (Note: Some older versions of Netscape may not be able to show the complete headers) The header information is like the envelope around an telling the senders address, the time it was sent, and where it was sent from. header information is includes the "To" and "From" data about an . More importantly, it also contains a lot of other information about the source of and . Knowing how to get to the header is important if you ever want more information about where the came from. Many programs hide much of the header information because most of the time you don't need it. This tutorial will teach you how to read and view the full header of s in different programs. What the header information "means" is beyond the scope of this tutorial. Most spam these days is sent with a fake return address. To figure out where the spam really came from the following web form is a tool to let you find out which provider an IP address is assigned to: 25

26 SPAM / Massmail Detektion und Filterung 26

27 SPAM Abwehrmassnahmen Technisch Sending Mailserver Receiving Mailserver Client SPAM-Filter Service Betreiber Mailbox Betreiber Organisatorisch, Verhalten Anwender Einsatz seiner Mail-Adresse Reaktion auf SPAM-Mails Gesellschaft Rechtslage Wirtschaftslage Kostenfolgen

28 Technische SPAM Abwehrmassnahmen Akzeptiere nur Mails von lokalen Clients (no relaying) Client Authentication Verzögerungstaktik (Teergrube) Sendender Server Internet Router Router Router Router Empfangender Server Filtering (Sender, Inhalt, Tag) bbb.ch Router Ablehnung von Mails (Blacklists) Nachfragen beim Sender (SPF, Greylisting) Filtering (Sender, Inhalt, Blacklist Spammer Anzahl gleiche Mails / DCC) Avoid grabbing Identify and abort dictionary attack Identify and abort address-harvasting attack ( tag handling) Boundary Defense Nonaccept a message (simply decline to accept it, rather than receiving it at all) Disable relaying, verify, expand Header Analysis (Reading headers by ) Validity of the sender (using reverse lookup ) Consistency between the sender and the from fields Tactics used by known spammers that are highly unlikely to be found in normal messages Content Analysis A set of rules to search for known spammer tactics A set of rules to search for known chain letters, hoaxes and urban legends The ability to look for words and phrases in a targeted words list (for example, porn, financial services) The ability to do contextual analysis The ability to tune the product for the environment Sensing or Reporting put accounts in all the places spammers love to harvest addresses (SPAM Honeypot) create consortia or user groups to develop and share anti-spam rules Blacklist and White Lists create a white list of domains that are always allowed to receive , no matter what the content is URL-Blacklist 28

29 Sender Authentication Initiatives Initiative Initiator How It Works Domain Keys Yahoo! Public key infrastructure (PKI) and DNS Caller ID Microsoft XML records stored in DNS Sender Policy Framework (SPF) Sender ID Meng Wong (Pobox) Concise text records stored in DNS Source: Gartner Group, Cannes 2004 There are four sender authentication initiatives: Domain keys: Uses PKI and DNS. A domain owner generates a public and private key pair, makes the public one available via DNS, and configures that domain's outbound mail servers to sign messages with the private key. Inbound mail servers would then need to check that signature against the public key. This initiative is at the early draft stage. Caller ID: Uses XML records stored in DNS, which list the IP address ranges that send s legitimately from a particular domain. This initiative is at a relatively early stage. Caller ID for is the third major authentication specification to emerge, after SPF (Sender Permitted From) and Yahoo Domain Keys. These multiple specifications will impede adoption, as will the need to introduce new intra-enterprise practices and technology upgrades. The various authentication initiatives will accelerate the spread of domain-to-domain authentication among early technology adopters and regulated industries. SPF: Uses concise text records stored in DNS. It can designate which servers are sending from a domain legitimately by using IP address ranges, or established mail exchange (MX) records. Inbound mail servers that are configured to parse SPF return one of several possible responses, and system administrators can decide what to do with the result. Sender ID: The convergence of Microsoft's Caller ID for proposal and Meng Wong's SPF. Microsoft has submitted this to the IETF. SPF is the only initiative that has been adopted. A significant number of domains publish SPF records, including AOL. It has been injected into the open source "wild," which means its growth is viral. The number of open-source mail servers that support SPF is increasing, and it is being adopted into antispam software. 29

30 Sender Policy Framework (SPF) SPF records are TXT records in DNS mail server, or anti-spam filter, that supports SPF checking does a DNS text query for the address supplied in the SMTP (Simple MailTransfer Protocol) MAIL FROM command. Response may by No published SPF records Pass Fail Sender cannot be confirmed as legitimate or illegitimate Lookup error The check is neutral or incomplete, which should be treated as if there was no SPF record A domain s SPF records indicate which servers are allowed to send on behalf of that domain that is, which servers can send purporting to be from an address at that domain. SPF records can be constructed loosely to indicate that these particular servers are definitely legitimate, but mail from other servers may or may not be legitimate, or they can specify that all servers can legitimately send from that domain. Publishes where correct mail from <domain> should originate MARID closed sept 04 because of Microsoft license violations - Switch nutzt SPF nicht weiter 30