ietf-mxcomp
[Top] [All Lists]

Re: How would SPF or Sender Id caught this one?

2004-07-31 11:42:10

On Sat, 31 Jul 2004, Meng Weng Wong wrote:

On Sat, Jul 31, 2004 at 11:33:46AM -0400, Larry Seltzer wrote:
| This page (http://www.messagelevel.com/spoofing.cfm#spoofex) appears
to
| have details on this particular phishing example, although nothing so
| straightforward as an actual message with headers.

A message with headers would be most informative, plus a
description of what OS and TCP software the receiving server
was running.

http://lcamtuf.coredump.cx/newtcp/

If TCP sequence number spoofing remains a viable attack, we
can construct an ESMTP ECHO field of the following form:

Spoofing TCP is quite difficult as TCP relies on acknoledgements from both
sides on each transmission. It takes very very very carefull planning to
do it right and get all the data properly timed.

On the other hand spoofing UDP is easy (its generally one-way
communication with no real establishment of sessions, etc) so if somebody
really wanted to get by with appearance of existing SPF record they could
do it by spoofing DNS TXT at the time of connection.

BTW - I strongly suspect the real USBANK ip address given came from forged
Received header but that the actual connection that delivered that
phishing email really came from another ip.

It could have spoofed as an internal bounce, as it did have a null return
path.  This may be reason to reconcider protections for the return path. 
It is also a reason to doubt SMTP is secure enough to offer assurances
beyond the immediate machine.


With respect to DNS, there is a 16 bit indentifier, but this is weak. 
This can be enhanced to 32 bits, if the source port for a DNS query is
also random, rather than from Port 53 or a sequential selection.


With respect to SMTP innovations to offer improved protections, SCTP
prevents much of the possible attacks, with the use of a state cookie, and
reduced typical connection overhead.  It also protects against DoS
attacks.  There are stacks to readily adapt TCP to SCTP.  This stack was
offered to a well-known desktop OS company, to stimulate acceptance of
this transport.
 ; )

-Doug