Shulou(Shulou.com)06/01 Report--

At present, there are a lot of spam, and corresponding prevention methods emerge one after another, such as blacklist, whitelist, keyword filtering, feature analysis, special website to provide features, and this SPF.

What is this SPF? its full name is Sender Policy Framework.

Is a protocol that DNS records cooperate with.

Most of the current DNS servers do not support SPF records, and I have not seen the one supported by the DNS service, so in order to solve this problem, we all use the txt records of this domain.

SPF records define several ways

+ pass

-reject

~ soft rejection

? Non-committal, that is, no judgment.

Let's look at an example.

Synkbit.com text =

"v=spf1 + a + mx + a:vps1038566.cp.hosting-srv.net-all"

Spf1 is version 1, if you use Sender ID, this field should be v=spf2, that thing is created by Microsoft. + a refers to the IP address corresponding to the a record of the domain name synkbit.com. The following is + mx, which is the mx record of the synkbit.com domain name. The corresponding IP address, + a:vps1038566.cp.hosting-srv.net, is to directly specify the IP address corresponding to a domain name vps1038566.cp.hosting-srv.net. The letter sent from these addresses is legal, and then the last sentence-all,- is rejected. -all means to reject all, just like when we do firewall strategy, the front is all permission, and finally it is the same as a reject all. But-all can still be followed by something, exp, if it appears, it must be the last item.

The domain name specified by exp=getlost.example.com,exp is to provide a rejection message to the rejection. This information is found in the text record of the DNS of the getlost.example.com domain name. Therefore, the exp record is not finished. You need to add the txt record of getlost, such as "You are not authorized to send mail for the domain", and clearly tell the rejected object why you refused to receive your letter.

Filtering options can be a record, mx record, these are dependent on DNS, of course, you can directly specify IP address, ip4:192.168.1.1, of course, support prefix, ip4:192.168.1.0/24, also support IPv6,ipv6:111::11, of course, also support prefix.

There is also a test project include, such as v=spf1 include:spf1.hichina.mail.aliyun.com-all, which is like an alias, the content of the configuration is found in spf1.hichina.mail.aliyun.com, and then the spf1.hichina.mail.aliyun.com record of DNS's txt is queried. It generally appears in virtual common hosts, but independent IP hosts will not be used.

There is also the test project exists, which I think is a chicken rib, which is useless and can be written in the form of exist:domain, that is, to see if there is an A record in this domain name, which seems to be of no use for spam.

There is also the test project ptr, which can be written in the form of ptr:domain. If you are familiar with DNS records, you will know that this is a way of very efficient resources, which is not recommended by the government, so forget it.

There is also redirect, whose format is redirect=, which replaces the current record with the SPF record of the given domain name. I don't know what the use of this is with so many choices.

Official address: http://www.openspf.org/

RFC4408 protocol http://www.openspf.org/RFC_4408

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.