It has come to our attention that a spammer, apparently of Russian origin, has been sending spam E-mails with forged
From: addresses in the vlinder.ca domain. An example spam E-mail runs as follows:
From: email@example.com Subject: RE: GALE - Copies of policies Unfortunately, I cannot obtain electronic copies of the Ocean, Warehouse or EPLI policy. Here is the Package and Umbrella, and a copy of the most recent schedule. GALE NICHOLS,
(The original version contained two links to the spammer’s website).
First, we want to make it absolutely clear that Vlinder Software does not send spam E-mails and does not condone such practices. These messages were sent by someone who has no affiliation to Vlinder Software, without our permission, effectively abusing our domain name.
Second, Vlinder Software will start rolling out counter-measures to this abuse shortly: we will start using SPF, DKIM and DMARC on all our domains and all domains we manage for our customers as soon as possible.
SPF, or Sender Policy Framework records allow your E-mail programs and servers to identify which E-mail servers are allowed to send E-mail for a given domain1. We will start implementing SPF on all domains we manage through the coming months. This will make it considerably more difficult for spammers to send E-mail “from” one of these domains, as they would have to both forge the
From: header and “spoof” the E-mail server.
When implementing SPF is complete, we will start implementing DKIM: DomainKey Identified Mail, which allows for cryptographic signing of messages sent from the our domain. Generally, DKIM allows an organization to claim responsibility for transmitting a message. It therefore allows for a form of non-repudiation: the receiver of a message can say, with certainty, that the message they received was the message we sent2.
While both SPF and DKIM are implemented, we will start implementing DMARC: Domain-based Message Authentication, Reporting & Conformance, which will allow us to progressively fine-tune our anti-spam policies3.
While we implement these measures, please understand that we must proceed with caution: while it is very important to us to stop spammers from abusing our domain names to attack or annoy innocent people, it is also important that we, and the clients we manage domains for (which are mostly charities and small businesses), be able to send E-mails and make sure those E-mails are not rejected as spam. That is why we cannon simply configure all these domains with SPF, DKIM and DMARC overnight: we will have to prepare the necessary documentation explaining what’s happening, and guide each of them through the steps of setting up these measures.