ietf-mxcomp
[Top] [All Lists]

Re: How would SPF or Sender Id caught this one?

2004-07-31 10:12:22


On Sat, 31 Jul 2004, Meng Weng Wong wrote:

On Sat, Jul 31, 2004 at 11:33:46AM -0400, Larry Seltzer wrote:
| This page (http://www.messagelevel.com/spoofing.cfm#spoofex) appears to
| have details on this particular phishing example, although nothing so
| straightforward as an actual message with headers. 

A message with headers would be most informative, plus a
description of what OS and TCP software the receiving server
was running.

http://lcamtuf.coredump.cx/newtcp/

If TCP sequence number spoofing remains a viable attack, we
can construct an ESMTP ECHO field of the following form:

Spoofing TCP is quite difficult as TCP relies on acknoledgements from both 
sides on each transmission. It takes very very very carefull planning to 
do it right and get all the data properly timed.

On the other hand spoofing UDP is easy (its generally one-way communication
with no real establishment of sessions, etc) so if somebody really wanted 
to get by with appearance of existing SPF record they could do it by 
spoofing DNS TXT at the time of connection. 

BTW - I strongly suspect the real USBANK ip address given came from forged
Received header but that the actual connection that delivered that phishing 
email really came from another ip.

-- 
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net