ietf-mxcomp
[Top] [All Lists]

Re: SPF abused by spammers

2004-09-17 16:33:35

On Fri, 2004-09-17 at 14:37, Chris Haynes wrote:
 "Alan DeKok" replied:

"Chris Haynes" <chris(_at_)harvington(_dot_)org(_dot_)uk> wrote:
My understanding is that SPF records declare the policy of the
_sender_.  If the sender trusts the shared MTA to verify all
originators and to prevent cross-customer spoofing, then the sender
can use something like '+mx -all' and the receiver should respect
the sender's trust in the shared MTA s/he uses.

  In that case, the recipient has checked with the originator, and has
information by which to decide whether or not to trust the shared MTA.

Yes - that's the way SPF works as it uses Mail-From.

  And yes, "originator trusts the shared MTA" still may mean that "the
message may be spoofed".  This indicates a weakness in any MAIL FROM
authentication. when shared MTA's are used.

When I say "originator trusts the shared MTA" I mean "trusts the shared MTA to
have authenticated and identified the sender of each message (using SMTP AUTH 
or
equivalent),  and to have applied whatever logic is needed to prevent 
spoofing,
i.e. to ensure, for every message, that the sender is authorized to use the
'Mail-From' of that message".

If the originator's trust in the MTA' s ability to prevent spoofing is
well-founded, than the message cannot be spoofed, and Mail-From can be 
trusted.
(barring IP address spoofing, DNS penetration, physical penetration of MTA 
etc.
etc. - which are factors to be listed in the "Security Considerations").

I can't understand the basis of your concern about a "weakness in any MAIL
FROM..." .

When the SPF list is not terminated with "-all" but rather "?all" to
ensure forwarded mail receives a "Neutral" assessment and is not lost,
then even a shared MTA checking incoming mail for compliance with SPF
records allows a different domain with access to have their spoofing
message promoted to a "Pass" assessment.  In this case, the MTA provider
is in full compliance with the SPF specification, but "Pass" level
spoofing only requires a simple assertion of the mailbox domain.

An "open" list allows mail to continue normal functionality.  Until
public versions of digitally signed mail, such as IIM, DomainKeys, or
BATV are available, there is nothing to fill the gap to assure the
sender their mail will not be rejected based upon policies that describe
their nominal outbound mail but then make no other allowance.  Many
providers will not want their customer's mail rejected and cause a
disruption in service.  Their customer support efforts will be large and
likely met with an attrition.  Forcing use of a mailbox domain is also
counter to consumer protection as this needlessly ties them to a
provider.

Beyond digital signatures, there is nothing to avoid this "closed" list
problem.  The marid-mpr mechanism, instead of Sender-ID, stops inviting
From spoofing as a means of obtaining a false reputation.  The use of
BATV also stops inviting the spoofing of MAIL FROM as a means to avoid
access blocking.

The weakness in using either MAIL FROM or the PRA for establishing an
identity used in a reputation system is caused through the ease of
spoofing this identity.  In addition, this identity fails to locate the
problem as a means to curtail abuse from either the sender's or
receiver's perspective.  By using the stronger MTA name for performing
reputation services, a compromised or poorly administered MTA is located
and blocked.  This imposes a responsibility on the providers to monitor
their outbound SMTP logs and respond to abuse@ complaints.

-Doug