ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: SPF abused by spammers

2004-09-14 17:02:31
On Wed, Sep 15, 2004 at 12:20:13AM +0200, Peter J. Holzer wrote:
Why should they? No legitimate user would want to send mail as
johndoe(_at_)ABordeaux-251-2-10-162(_dot_)w82-125(_dot_)abo(_dot_)wanadoo(_dot_)fr,
 because he will
never be able receive an answer (assuming that this is an address in a
dynamic address pool). The legitimate user will send want to send mail
as johndoe(_at_)wanadoo(_dot_)fr, or maybe 
johndoe(_at_)bordeaux(_dot_)wanadoo(_dot_)fr(_dot_)

Not quite right.
There is a big difference between 2821.MAILFROM and 2822.From. I can
fake the 2821.MAILFROM and use my correct 2822.From and everybody will
be able to answer using a MUA. But I will not get bounces or error
messages. SPF uses 2821.MAILFROM.
I could use a lot of different providers and my email addresses with
them in 2821.MAILFROM and inject emails with always the same 2822.From.
Fine, all answers will be in the same mailbox and I would be still SPF
compliant.
The problem arises if I mistype an email address. Then I'll have to scan
all boxes with all providers to collect my bounces, because I cannot
forward them to my main box, as SPF breakes forwarding.

SPF doesn't stop spam. It doesn't even try to stop spam. All it does is
tell the recipient whether a certain IP address is allowed to send mail
on behalf of a certain domain.

If they add SPF records to allow each hosts to send mail as 
user(_at_)revDNS(host)
it would be on behalf of that certain domain (which in fact is a host).

This allows to domain owner to prevent forgeries (or rather, allows the
domain owner to publish information which will allow the recipient to
recognize the forgery easily), which will reduce bounces and misguided
complaints.

And they all will have to learn that it is not sufficient to add SPF
records to the domain only.
What will happen (as per SPF) with emails sent with a sender address
    user(_at_)www(_dot_)your_domain
or how about
    user(_at_)vishna(_dot_)your_domain
The really funny thing is that - as www.your_domain is a CNAME -
you cannot even add a SPF record for www.your_domain, as CNAMEs does not
allow other RRs for the same LHS.
So you cannot prevent forgery with SOF abusing www.your_domain.

(I must admit I don't have a clue about how SPF handles CNAMEs, but I
doubt it will be possible as desired, as it will be impossible to say
    allow  www.your_domain from IPs ...
    asherah.wsr.other_domain does not send email at all
with www.your_domain -CNAME-> asherah.wsr.other_domain)

        \Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg