1

I just registered a new domain last week. I associated it with my Google Apps account.

Apparently, some spam bot is using it with fake account names to send spam and I'm receiving a ton of bounces.

What can I do to help against that?

I do have an SPF DNS record

v=spf1 include:_spf.google.com ~all

I don't want to have -all based on this.

http://www.google.com/support/a/bin/answer.py?answer=178723

Daniel A. White
  • 635
  • 1
  • 11
  • 20

3 Answers3

6

Saying "I have an SPF record" is a bit like saying "I have a computer". Until we know the details, it's a bit difficult to say why it might not be helping.

More specifically, could we see the SPF record, or at least could you tell us whether it ends in ~all, ?all, or -all?

Edit: thanks for posting your SPF record, which we see ends in ~all. As I have written elsewhere on Server Fault, any SPF record that doesn't end -all is next-to-useless and definitely won't prevent joe-jobbing (as the sending of spam claiming to be from your domain by unauthorised third-parties is also known).

SPF really can be useful in this scenario; it's not checked by everyone, but it's checked by a lot of MTAs. If you can itemise all the systems that will send email from your domain, and then disallow all others by changing that to -all, it will tell recipients who check SPF records that email claiming to be from your domain but originating elsewhere can lawfully be discarded or refused, and many recipients' servers will then do that.

As long as you continue to end with ~all, you're telling recipients nothing about identifying email that's not from you, only about identifying email that is - and that's no help at all in getting joe-jobbed spam refused.

Second edit: yes, thanks for the pointer to the google document. As it says,

Publishing an SPF record that uses -all instead of ~all may result in delivery problems.

Well, yes it can: that's the point of it.

You want people not to accept email that claims to be from your domain when it's not from you? Then you have to tell them that they should do so. SPF -all is one way to do that. DomainKeys/DKIM is another. In all cases, you have to tell people that you're identifying mail from you in a certain way, and if it doesn't carry that identifier, they should refuse it. If you won't tell them that, then why are you surprised if they don't refuse it?

Community
  • 1
MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • See: http://www.google.com/support/a/bin/answer.py?answer=178723 – Daniel A. White Oct 05 '11 at 14:13
  • 2
    @DanielA.White - If you're not comfortable permanently setting it to `-all`, what about using the setting for just a few weeks or so? The spammer will likely quickly notice that his messages no longer get through and move on to an easier domain. Then you can put your `~all` setting back how you want it. – Joel Coel Oct 05 '11 at 14:29
1

You'll have to set SPF to '-all', or there is no sense in SPF at all. Dont worry about the delivery problems, there will be none.

Andrei Mikhaltsov
  • 2,987
  • 1
  • 22
  • 31
  • Well there will be delivery problems ... for the spammer. The whole point of what he's doing is to cause the spammer delivery problems. To avoid settings that will cause delivery problems would be nuts. – David Schwartz Oct 05 '11 at 19:04
0

What you currently see is Backscatter. See here what to do against it. And the related questions thereof.

Things that really help is BATV and/or VERP. But as you are on Google this does not work in your case. But for "real" mail server this is a big relieve.

PS: What's the price for the domain if I want to buy it?

Community
  • 1
mailq
  • 16,882
  • 2
  • 36
  • 66
  • I am entertained by the notion that a domain being abused by spammers could have a higher market value than one that isn't, due to its value in spam research. – Skyhawk Oct 05 '11 at 18:04
  • @MilesErickson Am I so predictable? ;-) – mailq Oct 05 '11 at 18:07