ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] 1a. Inventory of Problems - Spoofed mail addresses

2004-02-05 21:30:56
from [Chris] [Permanent Link] 

Just a note on third party sending

from what I read some people seem to think its an aberration and not the
norm

It is quite the norm for some large websites

eg: Ebay

ebay cust 1 sends email to ebay cust 2 requesting details of auction item

for privacy reasons they don't simply give out email addresses
So ebay posts the mail using the from address as ebay cust 1

therefore ebay cust 2 can reply to ebay cust 1 directly

this is in effect a spoofed return address

Many "contact" based websites use this method

Nothing these websites do is wrong, they just take advantage of the way the
system was designed

Solutions?

There really isn't one except to insist that ebay et al routes all messages
AND replies through its server(s)
I am sure this is not something they would want to do

You *could* use the "From" field for ebay and the "ReplyTo" field for cust 1
but that would break many clients because as far as I am aware many ignore
this field and use the "From" field as the reply address

Hence they would reply to the wrong address eg ebay's sending address which
probably simply bounces mail


Regards
Chris



-----Original Message-----
From: asrg-admin(_at_)ietf(_dot_)org 
[mailto:asrg-admin(_at_)ietf(_dot_)org]On Behalf Of Brett
Watson
Sent: Thursday, February 05, 2004 1:24 PM
To: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] 1a. Inventory of Problems - Spoofed mail addresses


(Subject changed in an attempt to conform to posting guidelines.
I think the
subject under discussion -- mail sent from A to B at the request of third
party C -- falls under section 1a.)

Alan DeKok wrote:

 Is it really that difficult for your local browser to copy the web
page, and send it?


Seth Breidbart responded:

Difficult?  No.  Copyright violation?  Yes.


To which I say:
How much sympathy are we due to offer in cases where the obstacle is
self-imposed? Arbitrary publication X probably offers a "mail
this item to a
friend" service in preference to simply authorising you to do the
same on the
basis that the former alternative gives them greater data about who is
getting their articles. Theoretically, it reveals to publication
X the email
addresses of two readers: a sender, and a person that the sender
thinks is an
interested party. Assuming that the sender isn't abusing the
facility, that
is.

The major problem with this kind of third party mail request is
that it does
not fit with any viable proposed method of sender authorisation. The only
viable practice that I can envisage involves the publication
using its own
address as the envelope-sender address, and the "Sender:" address in the
message. The "From:" address in the message can be set to the
address used by
the person requesting the mailing. If the transmission is blocked due to
policy constraints at the recipient's end, then that's just tough
luck. If
failure to verify the veracity of data entered in such a web-form
results in
widespread abuse and consequent blacklisting of the publication's mail
servers, then that's par for the course.

I guess I'm proposing a BCP, really. It goes like this:

Scenario: party A sends mail to party B at the request of party
C. Example:
Chris wants publisher Aardvarks.example.com to mail an article to
Bob. The
subsequent mail transaction has Aardvarks.example.com as the
SMTP-sender, and
Bob's mail server as the SMTP-receiver. "MAIL From:" is given as a
bounce-handling address at Aardvarks.example.com (possibly
utilising VERP),
which allows an LMAP-like system to bless the use of the given
address. This
would not be possible if Chris' address were used at this point.
"RCPT To:"
is given as Bob's address. In the message itself, "Sender:" is an
appropriate
Aardvarks.example.com address, "From:" is Chris' address, and
"To:" is Bob's
address. If the message is refused for any reason, the bounce-handler at
Aardvarks.example.com is in a position to notify Chris of this
failure via
email.

It is the responsibility of Aardvarks.example.com to make sure that all
potential abuse vectors in this system are minimised, since it
bears the risk
of blacklisting if third parties attempt to use it as a weapon of
abuse. I
won't engage in a comprehensive review of potential abuse vectors
here. I do
note that the use of Aardvarks.example.com as a "MAIL From:"
address closes
one potential abuse path, since there is no possibility that a
bounce will be
directed at an innocent third party. Contrast this with the case
where "MAIL
From:" is the address provided in the web-form.

Regards,
TFBW


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Its all over for Challenge Response, Roger B.A. Klorese
Next by Date:  Re: [Asrg] Its all over for Challenge Response, Seth Breidbart
Previous by Thread:  Re: [Asrg] Re: 1a. Inventory of Problems - Spoofed mail addresses, George Schlossnagle
Next by Thread:  Re: [Asrg] 1a. Inventory of Problems - Spoofed mail addresses, Seth Breidbart
Indexes:  [Date] [Thread] [Top] [All Lists]