On Tue, 2004-09-21 at 19:45, Matthew Elvey wrote:
Doug, still hoping to hear back from you - on 9/14, I asked:
Doug, did you get my email - of a possible broad, strong example
showing [SenderID] falling down.
In general, shared MTA environments and open lists are the basic
ingredients for having a reputation damaged by SPF/PRA schemes which
only bolster the mailbox domain which would be the likely selected
identity for reputation assessment. This would be a bad situation.
and
If foo.dom's SPF/SenderID record lists just MX, and doesn't send spam,
how/why would a reputation service blacklist foo.dom?
e.g .
foo.dom. IN TXT "v=spf1 mx -all"
In a simple environment exchanging messages end-to-end, the risks would
be low. There are risks accepting these types of records when a process
walks through redirects, includes and arbitrary labels for several
record types. This invites a birthday attack where foo.dom can be
planted as a poison record in the cache. The many possible records that
may be involved in the potential SPF matrix offers a risk where the
minimum accepted is 10 scripts and the record count could be in the
hundreds.
On 9/21/2004 11:57 AM, Douglas Otis sent forth electrons to convey:
The great thing about rehabilitating the EHLO name, is that this name is
provided early in every SMTP session. The EHLO name is captured within
the message headers to allow tracing. There is no need for submitter or
to invent new mail headers to discern where the message is originating
with the use of CSV applying the post-mark so to speak.
Well put.
On Mon, 2004-09-20 at 18:50, Matthew Elvey wrote:
On 9/20/2004 5:21 PM, Douglas Otis sent forth electrons to convey:
On Mon, 2004-09-20 at 16:33, Matthew Elvey wrote:
Here's the idea in a nutshell: CSV makes use of extant SPF records
which already list tens of thousands of domains that are authorized
for use in HELO.
Who supports/opposes this change?
Ney.
This is a repeat of an older debate.
No, I'm making a different suggestion. Please read the whole post!
I'm eliminating some or all of the records that you mention having a
problem with below.
I should have stated one thing clearly: only +type components of
records would be relevant; ~type and ?type would be ignored.
As I said, this will allow the use of other record types to spoof the
EHLO name.
I claim this is impossible. Please provide an example of this (using a
record of the kind that my proposal proposes using).
The label used to select the SPF record is normally based upon the
mailbox domain to select a full set of outbound MTAs. The EHLO name can
be made to match any such mailbox domain provided one of the machines is
permitted in this SPF record set. This would be bad.
Again, the intent of the SPF record is to grant a broad set of MTAs,
within many different domains, authority to send messages on behalf of
the mailbox domain. The CSV record is limited to the single
administrative domain. Only the domain that is actually administering
the domain should be included, actually just the machine hosting the
MTA.
The SPF type of record will normally be across an entire
array of providers and not for a single host.
I don't see how this is possible using a record of the kind that my
proposal proposes using.
+include:comcast.net is not allowed, for example!
+ptr isn't allowed either (we don't want to allow the likes of
dialup-pool.234.234.comcast.net...)
One, you want to use existing SPF records that were not intended to
provide the narrow selection of machines administered by the MTA
operators. Two, there is no means to restrict this list after the fact.
One compromised system within this vast region can then utilize one
of these records to spoof the EHLO name then. If reputations are
based upon the MTA name and not the mailbox domain, then protecting
the MTA name would be much more important. It MUST not be possible
to mix these records out of this concern.
I don't believe my proposal does this.
<snippage>
Your approach was to prune the record set used just for the EHLO
domain. That pruning can not differentiate between machines within a
delegated domain or machines within the administered domain. This would
be bad.
The host name used within the EHLO domain will require a separate
record anyway, so why not use a record that achieves an answer
within a single lookup?
We should, as my post makes clear. But there are reported to be what,
~300,000 SPF records? Why not use them to the extent that I suggest?
These records are for a different purpose, and expose a different set of
machines. The EHLO record set must be kept narrow in order to serve the
purpose of establishing accountability. The broad and weak nature of
the identities obtained using SPF/Sender-ID are not useful for this
purpose. SPF/Sender-ID should be viewed as informative for but a few
exceptions.
Let's nail down what exceptions are appropriate then!
(Again, I'm NOT suggesting using the identities obtained using
SPF/SenderID!)
The exceptions would be with respect to those domains that feel it is
okay to close their lists. Small organizations, able to manage the
support issues and don't care when some mail goes missing or gets
rejected, may opt to endure these problems. There may be a trade-off
dealing with aggressive phishing attacks causing worse problems. If you
look at the marid-mpr draft, you will see I have a setting to assert
that the name list is the exclusive source of mail for the mailbox
domain. I described this mode being suitable for exigent situations,
but would not expect this to be the typically use.
Some refinements to my proposal based on stuff hashed out in private email:
99% of the time, an MX query will return the A records for all the
servers listed in the MX record as add'l records, all in one UDP packet.
Let's say that's a requirement for our purposes, where there's a +MX in
the SPF record.
"+a +mx -all" would
need 2 more DNS queries to resolve (unless a ALL query was done, which
is likely a bad idea). I think it's reasonable to accomodate a bit more
than 1 add'l DNS query.
For both network and security concerns, running a parser that walks
through these records is not reasonable. The CSV record can be obtained
in a single binary query, and the MPR list also can be obtain within a
single query. Neither of these operations require a parser to perform
this operation. My concern would be dedicating a thread to run the
parser will likely constrain the port used to do the queries. Having
this parser forced to lookup one arbitrary record after the next on any
number of DNS servers enables a fairly lazy attack to be successful.
I suppose this would be a way to get people to speed up deployment of
DNSSEC, but I would rather stay on the safe side of the use of DNS for
now. I see little about these TXT script records in DNS as being safe.
Let's not worry about the <<1% of records where the DNS servers are
known to return incomplete lists of Address records. Let's say that's
a requirement for our purposes that this not happen.
Once the IETF has expended their considerable efforts to endorse a
method that is well considered and robust, I doubt there will be any
trouble with the adoption of the standard. The problem of spam is that
great. Domains like AOL, as example, return incomplete lists. I doubt
you could say their lists are actually incomplete, they are simply open
to indicate mail from their customers my emerge from machines outside
their networks.
The fix in these cases would be make a 'proper' CSV record.
As I indicated, there are serious problem using scripts to spew a huge
list of addresses. This should change to being just a list of names
used to define the potential sources of mail. Leave the address list to
be within the natural scale of DNS records, the single host as provided
by the SRV record for example.
Also, a pass relying on such records would carry slightly less weight
than a pass based on a 'proper' CSV record. But let's keep the
definition tight enough that the weight be only slightly less.
I still insist the SPF record should never be allowed to validate the
EHLO domain. It is a different data set for a different purpose.
Again, the reason for my proposal is not to change or obsolete
CSV records, but to make CSV work in some reasonable cases where it
can work without them without being significantly detrimental.
Sorry, but I fail to see the point in using a TXT record and a parser to
obtain a list of addresses through a dangerous and expensive set of
lookups, when it can be done in one lookup safely. Also where it will
not accidentally allow other domains to spoof the EHLO identity. This
exclusion is needed to establish accountability.
-Doug