How DOS can lead to SPF Failure
DOS = Denial of Service attacks, typically but not exclusively done using larger bandwidth against a bandwidth limited victim
SPF = Sender Provider Format , a system to ensure that spoofed emails (masquerades) are not accepted.
It all started when I got spoofed emails on my Inbox coming from my own email address! Since I had SPF on my domain, I knew that this was not the expected behavior of my mailserver. So I opened my email headers to investigate and this is what i saw:
Received-SPF: error(domain.com: Error in processing during lookup of name domain.com)
Now, why would this fail??
Using MXtoolbox, I checked and verified that my domain had the CORRECT SPF entries. The mystery deepens!!!
Now to stop all the suspense, and as the title of this post would suggest, this is what probably happened:
1. Domain.com SPF is set to DENY only if the result of SPF is Fail.
2. Domain.com is hosted on a server with Traffic shaping
3. Spammers floods victim mailserver with traffic, thus disrupting the mail server from looking up SPF entries in DNS.
4. Mailserver could not get SPF entries, and thus it did not receive the Fail trigger.
5. Mailsserver then allows the spoofed email in!
The solution in this case is to remove the bandwidth throttling in the mailserver so thus, the server can now query the DNS server for each sender’s domain to verify the SPF records.
Mail is then rejected when the SPF returns a Fail message.
Filed under: Computing, Security
