Issues with SPF and Korean ISPs

If you publish SPF records, send mail to Korean ISPs, and use SPF mechnisms other than ip4:, you may face a problem.

Apparently (and this is second-hand, so treat it with some caution), the Korean Information Security Agency (KISA) is producing an RBL of domains to blacklist. This is complemented by a whitelist, called WhiteDomain, seeded by using published SPF records.

There's a webpage for the KISA RBL, with both English and Korean versions. It looks like there's more content on the Korean version than on the English version, but most of it's text on images which Google can't translate, and my Korean's not up to much.

Many Korean ISPs are using this RBL and whitelist

However, the process for seeding WhiteDomain is only correctly handling SPF records that use the ip4: mechanism. Other mechanisms (like a:, ptr:, and mx:) are being ignored. So if your SPF record doesn't use the ip4: mechanism (and there are many legitimate reasons for not doing so) you are going to find your e-mail blacklisted by many Korean ISPs.

This is broken for a couple of reasons. First, the SPF specification is quite clear about what a conforming SPF implementation must do:

4. The check_host() Function

The check_host() function fetches SPF records, parses them, and interprets them to determine whether a particular host is or is not permitted to send mail with a given identity. Mail receivers that perform this check MUST correctly evaluate the check_host() function as described here.

An implemenation that claims to process SPF, but that does not follow parts of the specification is broken, pure and simple.

Second, there's nothing preventing spammers from publishing their own SPF records, authorizing their mail relay. If WhiteDomain is being seeded purely by SPF (and I don't know for certain that it is, so take this with an appropriately sized piece of salt) it's likely to become less and less useful over time.

No comments:

Post a Comment