On 06/12/2012 21:21, John Levine wrote:
In article
<CAFduganiaDkf0jFsV7FYcAvi9JjA9G-iTj8XLVzcDNY=jo_m=w(_at_)mail(_dot_)gmail(_dot_)com>
you write:
here is the proof of concept ! an email sent to John Levine claiming
to be from ygii-john(_at_)www(_dot_)johnlevine(_dot_)com !!!
Life is too short to publish SPF -all records for every host name that
doesn't send mail.
While I agree totally, I understand the OP's point about semi-tech-savvy
people being more trusting of Twitter mail coming from
'bibble.twitter.com' than if it came from 'random.ru'
This problem is really due to the (IMHO horrible) allowance for an A
record to be sufficient for mail delivery. However, it would be quite
hard to remove that allowance nowadays. I don't know the stats for how
many email addresses use A records for delivery rather than MX, but I'd
guess its a significant number.
As a random thought, would there be the possibility to add some sort of
marker on a parent domain to say 'we understand MX records, so we don't
use A records for mail within this domain'? So, if you receive mail from
'bibble.twitter.com', you check the TXT records for 'twitter.com' which
tell you that subdomains/hosts without an MX record won't have mail, and
since there isn't an MX record for 'bibble.twitter.com', you can reject
it/treat it as spoofed.
The main problem I see with this is the increased DNS lookups - if you
got a message from aa.bb.cc.dd.ee.ff.twitter.com (an excessive case),
you'd have to do 6 or 7 extra DNS lookups before doing anything else,
because you can't automatically tell where the 'parent' domain is. For
small hosts this probably wouldn't be that big a problem. For big ones
it may be, but then again, would any benefit this gave in reduced
traffic outweigh the extra load, and would the DNS caches on the big
hosts alleviate the problem?
(There'd also be a risk that a parent domain owned elsewhere (eg .com)
would block A record mail for all its legacy subdomains, but you'd hope
that wouldn't happen...)
Personally, I think I'd rather any effort went into some sort of
'stronger' authentication being developed for prime phishing attack
targets like Twitter, Facebook, banks etc. eg a verification scheme
which can verify specific messages, or a message collection system
(rather than delivery) which can be automated by the recipient software,
or something.
-
Paul Smith Computer Services
Tel: 01484 855800
Vat No: GB 685 6987 53
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg