ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: A new SMTP "3821" [Re: FTC stuff...........]

2004-12-08 11:12:05
from [Alan DeKok] [Permanent Link] 

"Chris Haynes" <chris(_at_)harvington(_dot_)org(_dot_)uk> wrote:

It has been argued in SPF circles, that if you receive a message
which the (purported) sender's policy declares to be a hard failure
(-), the message is _proven_ to be a forgery, an unauthorised
re-transmission, or whatever.


  i.e. in SPF, the argument is that the discard "should" be done
during message delivery phase, by the sender.  This requires
non-SPF-aware senders to change their behaviour when they interact
with SPF-aware receipients.

  That won't work.

  In other MAIL FROM validation schemes (SES, BATV), the MAIL FROM can
be rewritten so that the forwarder implementing the scheme also
accepts responsibility for the bounces.  This means that any "discard"
decision will be made by the sender, when the recipient rejects the
message.  This may change they way senders work, but that's OK,
because the sender has already changed to implement SES.

  Or, the discard decision is made by the receiver, during the
"bounce" phase, when the sender refuses to accept the bounce.  This
requires no changes on non-SES-aware senders, as it's already a known
failure mode of message delivery.


Since the purported sender has repudiated the message, the argument
goes, the original SMTP 'contract' to "deliver or bounce" is
null-and-void, since whoever actually injected the message did so
without the authority of the domain they cited.  Therefore it is
acceptable to 'silently discard' such messages, and not send
bounces.


  If attackers discover MAIL FROM values which temporarily pass SES
checks, they can re-use them to send messages through non-SES-aware
senders.  When SES-aware recipients discover that the alleged
originating site has repudiated the MAIL FROM value, they will reject
the message, and the sender may bounce it back to the alleged
originating site.

  This failure mode is the same as Dean's "blow-back" argument for
SPF.  (Assuming I've described SES correctly, based on my quick
skimming of the documents.)

  It's also a attack mode of *any* system doing MAIL FROM validation.
Until all sites implement the validation, the attack mode will exist.
It can be mitigated with SES-like schemes, but it's more difficult to
mitigate it with SPF.

  Alan DeKok.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: A new SMTP "3821" [Re: FTC stuff...........], Chris Haynes
Next by Date:  Re: blowback, was A new SMTP "3821" [Re: FTC stuff...........], John Levine
Previous by Thread:  Re: A new SMTP "3821" [Re: FTC stuff...........], Chris Haynes
Next by Thread:  Re: blowback, was A new SMTP "3821" [Re: FTC stuff...........], John Levine
Indexes:  [Date] [Thread] [Top] [All Lists]