Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
ISP customer Spammer posts mail to that ISP's relay with a forged return
address. The recipients reject the message due to SPF. Now the relay sends
a bounce to the "from: address". This message is from the Relay, which
will be valid. So now instead of a a few bounced messages, you get a
bounce for every message blocked.
Is this a *new* attack, or is it an old attack with changed cost?
So far as I can see, this exact same attack can happen when a server
rejects messages from such a relay, independent of SPF. Maybe there
are other methods of MAIL FROM validation which don't have this
"blow-back" property. But I have a hard time seeing how any of them
solve the problem of relays which accept mail that they cannot
deliver, and that they cannot bounce to the correct entity.
It is not the case that SPF can be deployed merely with respect to the
sender and recipient. There was significant discussion on this point with
Alan Dekok.
It can be deployed any way anyone wants. Whether there will be side
effects is another story.
Yes, doing MAIL FROM validation will have side effects on relays and
others who use "MAIL FROM foo(_at_)example(_dot_)com" without example.com
knowing. But to be pedantic, that's the whole *point* of MAIL FROM
checking: to know who is using your domain name in MAIL FROM, and to
control their use of that name.
If MAIL FROM validation doesn't allow the domain to control the use
of it's name by an MTA, then MAIL FROM validation is not taking place.
EHLO validation is orthogonal to MAIL FROM validation, for the
simple reason that they're separate fields, and there's not
requirement for the same domain name to appear in both.
Alan DeKok.