ietf-mxcomp
[Top] [All Lists]

Re: SPF abused by spammers

2004-09-11 15:41:31

On Sat, 11 Sep 2004, Alan DeKok wrote:


"Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org> wrote:
A DNS check that obtains a list of addresses for a mailbox-domain, MUST
assume channel integrity when holding the apparent originator of the
message accountable.

  What channel?  The only parties involved are:

  a) SMTP client
  b) SMTP server
  c) DNS server being queried

I think he is refering to the channel referenced by information theory
(guessing by the previous reference to Lampson's covert channel paper).
This could refer to the complete path through the communication system, or
it could refer to a single hop in a multihop system.

Further, you've oversimplified the parties involved:

        The end user, 
        optionally a third party relay [one or more]
                (because connection and mail services may be unbundled)
        The mailbox provider (where responses will go)
        The Mailbox provider nameservers
        The recipient mail server [one or more]
        The recipient nameservers
        The chain of nameservers between the recipient, root, and mailbox 
provider.

At any point spoofing could occur.

Going back to my spam examination where you are examining a spam message:
Suppose the IP address in the received from header no longer matches the
SPF records:  In this case you don't know if your SPF check passed because
DNS records were spoofed, or if the real DNS records were changed.  All 
you know is that you got a spam from a certain IP address.  You don't know 
whether it was forged or not.

Suppose the IP address in the recieved header does match the SPF records. 
You don't know if the abuser signed up for an account with that domain, or 
if they got an infected machine under that domain.  You don't know whether 
the nameserver was cracked, and incorrect records added. Most people can't 
tell the difference between a poisoned DNS cache and whether the records 
really come from an authoritative nameserver or even figure out where they 
got the DNS record from.   So, similarly, all you really know is that you 
got a spam from a certain IP address.

In both cases, all that can be done is report the incident to the operator 
of the domain and the operator of the IP address.  And that's all that can 
be done now. THERE IS NO CHANGE.

SPF doesn't prevent email forgery, nor even indicate whether forgery
happened.

  The DNS server may return one, or a billion IP's "permitted" to send
MAIL FROM with it's name.  Any particular message may have traversed
zero, or a billion intermediate SMTP hops before arriving at the
current SMTP client, and being sent to the SMTP server.

  I fail to see how any party other than the three listed above could
possibly be involved in "MAIL FROM" DNS checks.  There is no "channel"
beyond the current hop, which can be verified to exist.

The current hop cannot be "verified to exist" beyond the TCP sequence 
numbers. There is no way to tell that the mail isn't forged.  Even if 
email comes from a certain server, there is still no way to tell that the 
mail isn't forged.  <user>@aol.com coming from an AOL mailserver doesn't 
mean that it really came from <user> Spammers can get accounts at AOL. 
Spammers can steal accounts at AOL by a number of vectors such as viruses.

And what's more, from outside of AOL we can't be sure that AOL isn't
pink-contracting with spammers.

The notion of "spam-herding" is just so much wishful thinking.



<Prev in Thread] Current Thread [Next in Thread>