ietf-mxcomp
[Top] [All Lists]

Re: Trouble with Sender Authentication

2006-11-09 16:56:46


Doug, I don't have time for long discussion. But I'm telling you that
SPF has nothing to do with it and I can use either of "MX", "SRV" or
"NS" to generate similar amplification scenarios as you've done with
SPF using the same method. In fact CSV (as far as I remember it) would cause highier amount of amplification then SPF when bad guy controls domain put in EHLO and decides to play special dns games with that name. And in exactly the same way as you did it would generate 10:1 DNS traffic amplification (SPF scenarios are basicly 10:1 amplification after throwing away all the extras).

On Thu, 9 Nov 2006, Douglas Otis wrote:

On Nov 9, 2006, at 12:52 PM, william(at)elan.net wrote:

On Thu, 9 Nov 2006, Douglas Otis wrote:

to select an array of MX RR sets. The script defines the record set, but in converse a record does not define the set comprising the script. Processing the script includes initial parameters not found in any SPF record as well.

I've examined this issue over last few days. This all has nothing to do with SPF but with DNS in general in which Doug's SPF use is just an example of range of similar attacks.

SPF script is able to target many DNS transactions per each distributed message. The number of executions depends upon the number of names being resolved, recipients, and instances within the path where an evaluation is performed.

The underlying problem is really that if spammers have large collection of zombies under their control they can either use them either directly to launch an attack (and spam is form of DoS too!) or indirectly to get others to to do something similar with some additional level or amplification (about 1-20 depending on complexity of DNS scheme).

One execution of the SPF script can generate 64 kbytes of DNS traffic without consuming the resources of an attacker. Few attack strategies offer a scenario that is totally free to the attacker who is also interested in sending spam. : (

They don't really need SPF for that at all.

When ACL restrictions on DNS and BCP38 becomes common, SPF still defeats these protective strategies. : (

I need to work more on the numbers and examples and also unlike Doug I've an issue with just publicly saying how to do all that - this would be just way too useful for bad guys.

Providing details was done by request as there remained a lack of understanding of the concern. Don't underestimate the sophistication of those creating the Bot-nets now responsible for the major portion of the current spam. A DDoS attack only needs to be done for a brief period of time to enable yet other exploits.

It seems best not to confuse the term script with that of record. They are truly different elements.

cert-test.mail-abuse.org.  IN  TXT  "v=spf1
   mx:0.%{l}.%{d} mx:1.%{l}.%{d} mx:2.%{l}.%{d}
   mx:3.%{l}.%{d} mx:4.%{l}.%{d} mx:5.%{l}.%{d}
   mx:6.%{l}.%{d} mx:7.%{l}.%{d} mx:8.%{l}.%{d}
   mx:9.%{l}.%{d} ?all"

Could someone kindly point me to workable CSV library so that I could provide Doug with an example of using CSV to generate higher amount of amplification then his assertions about SPF?

An SMTP client is unique at each stage of delivery. Validating SMTP clients requires one small DNS transaction using either A or CSV records. While each recipient might perform this transaction, gain is less than 1. SMTP client validation transactions can not be redirected to a victim and still offer validation as can SPF. In addition, subsequent stages of delivery will not provide amplification as it will for SPF evaluations, which precludes gain related to multiple recipients. Multiple recipient gain remains a concern for SPF.

<Prev in Thread] Current Thread [Next in Thread>