ietf-mxcomp
[Top] [All Lists]

Re: How would SPF or Sender Id caught this one?

2004-07-31 09:30:07

I opined:


"Bill McInnis"  reported:


I sent this to the ASRG list as well so I apologize if you got it twice.

Last weekend a phishing attack took place against US Bank.  The phisher
spoofed and connected with the appropriate IP for US Bank,
170.135.72.63.  How would SPF or Sender ID have managed to catch that
attack?

Thanks,

Bill McInnis
MessageLevel.com


I believe that sending a single spoofed packet (containing all the data the
MUA
needs to send to complete the SMTP dialog) is relatively easy, but conducting
an
extended TCP session from a spoofed host address requires the hacking of
in-network routing (which would imply a seriously-escalated threat).

Was the MTA which received the message designed to _ensure_ that a valid TCP
session was in place?

A good test of session validity is to ensure that response packets are getting
back to the source.  When using SMTP I believe a common technique used is for
the receiving MTA to flush the input buffer before sending each SMTP response,
so that the protocol is used to impose 'flow control', which,  _requires_
there
to be a valid, multi-packet  TCP session.

I would be very cautious about suggesting that SPF is ineffective unless I had
established that the MTA involved was not vulnerable to this basic kind of
deception at the transport level.

Chris Haynes



Having thought about this for a few hours, I withdraw the implied recommendation
above to use buffer-flushing to counter this form of IP spoofing.  I 've worked
out how, presented with an MTA using this tactic I could still spoof the IP -
were I so inclined.

My current thoughts are that a relatively simple change to SMTP is needed to
provide the desired TCP session integrity - but that breaks the nice aspect of
SPF-Classic that no changes to SMTP are needed.

If, however, the MARID proposals proceed, I understand that the SMTP protocal
will have to be enhanced (to support SUBMITTER), so the change I have in mind
could be added at the same time.

Stop-press: - Meng has just (Sat, 31 Jul 2004 11:51:46 -0400) posted the same
solution as I was about to propose: a pseudo-random ECHO.


Chris Haynes