Sender Policy Framework is an open standard that can be used to hinder activities of spammers. Using SPF, domain administrators can specify which mail servers they use to send mail from their domain, then receivers can check whether the message came from a valid server.
Also, it is useful when we need to implement access rules to control traffic going to or coming from webmail servers.
For example, if you need to control traffic from internal networks to Hotmail servers you cannot use the first server address that you get using DNS resolution. So you need to get a complete list of servers. It can be done performing the steps below:
>nslookup -type=TXT hotmail.com
Non-authoritative answer:
hotmail.com text = "v=spf1 include:spf-a.hotmail.com include:spf-b.hotmail.com include:spf-c.hotmail.com include:spf-d.hotmail.com ~all"
Then query all SPF entries gotten:
>nslookup -type=TXT spf-a.hotmail.com
Non-authoritative answer:
spf-a.hotmail.com text = "v=spf1 ip4:209.240.192.0/19 ip4:65.52.0.0/14 ip4:131.107.0.0/16 ip4:157.54.0.0/15 ip4:157.56.0.0/14 ip4:157.60.0.0/16 ip4:167.220.0.0/16 ip4:204.79.135.0/24 ip4:204.79.188.0/24 ip4:204.79.252.0/24 ip4:207.46.0.0/16 ip4:199.2.137.0/24 ~all"
>nslookup -type=TXT spf-b.hotmail.com
Non-authoritative answer:
spf-b.hotmail.com text = "v=spf1 ip4:199.103.90.0/23 ip4:204.182.144.0/24 ip4:204.255.244.0/23 ip4:206.138.168.0/21 ip4:64.4.0.0/18 ip4:65.54.128.0/17 ip4:207.68.128.0/18 ip4:207.68.192.0/20 ip4:207.82.250.0/23 ip4:207.82.252.0/23 ip4:209.1.112.0/23 ~all"
>nslookup -type=TXT spf-c.hotmail.com
Non-authoritative answer:
spf-c.hotmail.com text = "v=spf1 ip4:209.185.128.0/23 ip4:209.185.130.0/23 ip4:209.185.240.0/22 ip4:216.32.180.0/22 ip4:216.32.240.0/22 ip4:216.33.148.0/22 ip4:216.33.151.0/24 ip4:216.33.236.0/22 ip4:216.33.240.0/22 ip4:216.200.206.0/24 ip4:204.95.96.0/20 ~all"
>nslookup -type=TXT spf-d.hotmail.com
Non-authoritative answer:
spf-d.hotmail.com text = "v=spf1 ip4:65.59.232.0/23 ip4:65.59.234.0/24 ip4:209.1.15.0/24 ip4:64.41.193.0/24 ip4:216.34.51.0/24 ~all"
Now implement an object-group including all the servers:
object-group network hotmail.com
network-object 209.240.192.0 255.255.224.0
network-object 65.52.0.0 255.252.0.0
network-object 131.107.0.0 255.255.0.0
network-object 157.54.0.0 255.254.0.0
network-object 157.56.0.0 255.252.0.0
network-object 157.60.0.0 255.255.0.0
network-object 167.220.0.0 255.255.0.0
network-object 204.79.135.0 255.255.255.0
network-object 204.79.188.0 255.255.255.0
network-object 204.79.252.0 255.255.255.0
network-object 207.46.0.0 255.255.0.0
network-object 199.2.137.0 255.255.255.0
network-object 199.103.90.0 255.255.254.0
network-object 204.182.144.0 255.255.255.0
network-object 204.255.244.0 255.255.254.0
network-object 206.138.168.0 255.255.248.0
network-object 64.4.0.0 255.255.192.0
network-object 65.54.128.0 255.255.128.0
network-object 207.68.128.0 255.255.192.0
network-object 207.68.192.0 255.255.240.0
network-object 207.82.250.0 255.255.254.0
network-object 207.82.252.0 255.255.254.0
network-object 209.1.112.0 255.255.254.0
network-object 209.185.128.0 255.255.254.0
network-object 209.185.130.0 255.255.254.0
network-object 209.185.240.0 255.255.252.0
network-object 216.32.180.0 255.255.252.0
network-object 216.32.240.0 255.255.252.0
network-object 216.33.148.0 255.255.252.0
network-object 216.33.151.0 255.255.255.0
network-object 216.33.236.0 255.255.252.0
network-object 216.33.240.0 255.255.252.0
network-object 216.200.206.0 255.255.255.0
network-object 204.95.96.0 255.255.240.0
network-object 65.59.232.0 255.255.254.0
network-object 65.59.234.0 255.255.255.0
network-object 209.1.15.0 255.255.255.0
network-object 64.41.193.0 255.255.255.0
network-object 216.34.51.0 255.255.255.0
asa(config)# end
asa# wr mem
No comments:
Post a Comment