ietf-asrg
[Top] [All Lists]

Re: [Asrg] misconception in SPF

2012-12-06 14:15:19
here is the proof of concept ! an email sent to John Levine claiming
to be from ygii-john(_at_)www(_dot_)johnlevine(_dot_)com !!!

Could you please John paste the Received-SPF checks of your mailserver ?


Connected to mail1.iecc.com.
Escape character is '^]'.
220 mail1.iecc.com mailfront ESMTP
EHLO www.johnlevine.com
250-mail1.iecc.com
250-SIZE 0
250-8BITMIME
250-ENHANCEDSTATUSCODES
250 PIPELINING
MAIL FROM: ygii-john(_at_)www(_dot_)johnlevine(_dot_)com
250 2.1.0 Sender accepted.
RCPT TO: johnl(_at_)taugh(_dot_)com
250 2.1.5 Recipient accepted.
DATA
354 End your message with a period on a line by itself.
From: ygii-john(_at_)www(_dot_)johnlevine(_dot_)com
To: johnl(_at_)taugh(_dot_)com
Subject: p o c

Hi John, just a proof of concept
.
250 2.6.0 Accepted message qp 34000 bytes 540
quit
221 2.0.0 Good bye.
Connection closed by foreign host.



2012/12/6 Christian Grunfeld <christian(_dot_)grunfeld(_at_)gmail(_dot_)com>:
Hi,

Something I found about SPF. I don't know if it is new to you but it
is worth of explanation !

As in all the tutorials of SPF, one stays relaxed when lists hosts/ips
that are authorized to send for the domain and then finally closes
with -all. This is true only for that domain but if there are hosts or
subdomains with A records, they must enforce SPF policies ! (this is
not explicit in RFC or at least confusing).

A single host or subdomain that don't do it can lead to a sender spoofing 
attack
and pose as someone from our domain without the SPF to detect it.

This is because when we receive mail from foo@bar.mydomain the SPF
protocol seeks TXT records corresponding to bar.mydomain instead of
TXT record for mydomain. If there is an A record for bar.mydomain but
no TXT "v=spf1 -all" for it, SPF returns "none" although SPF exists
for mydomain !

Thus an attacker can inject an email from everywhere claiming that is
from someone@bar.mydomain !

As the default policy of SPF should not be "fail if not present" the
solution is to enforce with the records TXT "v = spf1-all" for each A
record that should not send emails!
This also can be made by means of wildcards but it is discourage in the RFC.

Cheers
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>