spf-discuss
[Top] [All Lists]

Re: Maybe simple question

2003-12-13 16:46:03
----- Original Message -----
From: "Edward Ned Harvey" <spf(_at_)nedharvey(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Saturday, December 13, 2003 6:32 PM
Subject: RE: [spf-discuss] Maybe simple question

I believe the confusion in this thread arises from Ned Harvey's
assumption that SPF is executed at MDA time, rather than at MTA time.

Wrong. I am assuming that sender verification will be done by the mta.

If you assume SPF will be done at MTA level, then the IP address of the
connected client is parsed to, say, a Milter, which will perform the SPF
checks. If you cannot trust your own sendmail, then I'd say you have a
bigger problem on your hands than SPF spoofing.

Besides, IP spoofing, within an established connection, though perhaps
theoretically a possibility, is close to impossible. If it were possible, do
you not think every spammer would use it? And the convincing argument has
always been, that had spammers devised such an apparatus that could
successfully spoof IP addresses in such fashion, they would be sitting on
something worth a lot more than their stupid spam.

IP is basically a routing wrapper for layer 4, which contains the
Transmission Control Protocol (TCP). Participants in a TCP session must
first build a connection, via the 3-way handshake (SYN-SYN/ACK-ACK), then
update one another on progress, via sequences and acknowledgements. While
not the case today, machines in the past used basic techniques for
generating sequence numbers. It was relatively easy to discover the exact
formula by studying packets and TCP sessions. Today, most OS-es implement
random sequence number generation, making it extremely difficult to predict
them accurately.

For all purposes and intent, I think you should work from the assumption
that the IP address in an established connection is genuine.

1- Verification can be done based on the IP address of the last relay.
This is the approach of Certificate Authority based verification. "This
message was delivered by such-n-such IP address, and I know that IP
address will only relay email that's verified. Therefore I can assume this
is authentic."

2- Something is encoded inside the message, and the only person who could
have put it there is the true sender. There are several proposals that fit
this description. eMVP is one (emvp.org). xmpp dialback, and yahoo public
key, and some others for example.

The authenticity of the message, as a whole, and the authenticity of the
connecting IP address, are two entirely different things. Received headers,
and such, are part of the DATA phase, and, like any other data, cannot, on
its own, be trusted to be accurate, and need to be digitally signed with a
PGP key or something. But unsigned data does not, in any way, compromise the
authenticity of the IP address of the established connection. In fact, if I
remember correctly, sendmail does not even have the "last" Received header
(of the current connection) available at Milter time, as the Milter hooks
are a the message receipt stage of sendmail processing, whereas an LDA, like
Procmail, gets to see it after an extra Received header has been added for
the local machine.

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.3.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡