On Fri, 3 Dec 2004, Alan DeKok wrote:
Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
ISP customer Spammer posts mail to that ISP's relay with a forged return
address. The recipients reject the message due to SPF. Now the relay sends
a bounce to the "from: address". This message is from the Relay, which
will be valid. So now instead of a a few bounced messages, you get a
bounce for every message blocked.
Is this a *new* attack, or is it an old attack with changed cost?
So far as I can see, this exact same attack can happen when a server
rejects messages from such a relay, independent of SPF.
I think it is an old attack, as described when all mail from a relay is
rejected. Cost is the same as before. Possibly cheaper, since it is
easier for the abuser to arrange the case where all email will be rejected
by recipient, but not by forged sender.
It is not the case that SPF can be deployed merely with respect to the
sender and recipient. There was significant discussion on this point with
Alan Dekok.
It can be deployed any way anyone wants. Whether there will be side
effects is another story.
Err, no. What is meant is that "sender and recipient" is an
oversimplication. There are more parties than just the "sender and
recipient".
Yes, doing MAIL FROM validation will have side effects on relays and
others who use "MAIL FROM foo(_at_)example(_dot_)com" without example.com
knowing. But to be pedantic, that's the whole *point* of MAIL FROM
checking: to know who is using your domain name in MAIL FROM, and to
control their use of that name.
Yes, I know that is "the point". However, this isn't possible. Hence the
conclusion that "SPF is breaking the mail system for no good reason".
If MAIL FROM validation doesn't allow the domain to control the use
of it's name by an MTA, then MAIL FROM validation is not taking place.
That is correct. MAIL From validation isn't taking place.
--Dean
--
Av8 Internet Prepared to pay a premium for better service?
www.av8.net faster, more reliable, better service
617 344 9000