spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: rationale for the explanation directive

2003-10-28 15:55:06
from [Jasper Wallace] [Permanent Link] 
On Tue, 28 Oct 2003, Meng Weng Wong wrote:


On Tue, Oct 28, 2003 at 01:16:50PM -0500, Meng Weng Wong wrote:
|
| the library returns two strings: one is intended for the connecting
| client in the 5xx error message, and the other for the Received-SPF
| header.  the exp string goes into the former.  the library makes up its
| own text for the latter.
|

these are the strings.

 20031028-13:12:20 mengwong(_at_)dumbo:~% echo 
"ip=213(_dot_)84(_dot_)159(_dot_)212\nhelo=capsi(_dot_)com\nsender(_at_)
Å?ËÅÿ©ÓâÐ?í¶/¡\n" | nc localhost 5970

 result=pass
 smtp_comment=capsi.com MX mail.capsi.com A 213.84.159.212
 header_comment=domain of cap(_at_)capsi(_dot_)com designates 213.84.159.212 
as permitted sender

 guess=pass
 smtp_guess=capsi.com A 213.84.159.212
 header_guess=best guess: seems reasonable for cap(_at_)capsi(_dot_)com to 
mail through 213.84.159.212

If an exp string had been provided, it would appear in the smtp_comment
field.


Can anyone think of a way for spammers to abuse this?

I guess the best they could do would be to try to add some junk to the
rejecting MTA's logs, i guess there would be some way for them to send
the bounce messages to a victim.

hmmm:

If the spammer used SPF, and then sent mail through open relays (open via
whatever method, FTP bounce, HTTP CONNECT, etc.) that wern't allowed in
the SPF string, but with fake From and Errors-To, then bounces generated
via a 5xx from an SPF complient mailer would have the exp string in
them, and would be directed @ 3rd parties.

The bounces would avoid SPF - if the machine thats generating the bounces
(the abused proxy) has SPF dns records, the mails will be legit
(verification via HELO header).

This is not much worse than what spammers can do already, unless i've missed
something.

-- 
[http://pointless.net/]                                   [0x2ECA0975]

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: let the publishing begin ... soon, Jasper Wallace
Next by Date:  Mechanism extension for TLS, lee-spf
Previous by Thread:  spfd lets you test SPF queries, Meng Weng Wong
Next by Thread:  Re: Bounce loops, Roy Badami
Indexes:  [Date] [Thread] [Top] [All Lists]