Currently, the SPF spec says that a conforming implementation must
support include recursion depths of at least 10. I think there needs
to be much tighter limits placed on this.
Imagine someone creating a set of SPF records such as:
a.evil.com TXT "v=spf1 include:a1.evil.com include:a2.evil.com"
a1.evil.com TXT "v=spf1 include:a11.evil.com include:a12.evil.com"
a2.evil.com TXT "v=spf1 include:a21.evil.com include:a22.evil.com"
a11.evil.com TXT "v=spf1 include:%(t)_%(i)_%(s)_a11_1.target.org
include:%(t)_%(i)_%(s)_a11_2.target.org include:%(t)_%(i)_%(s)_a11_3.target.org
include:%(t)_%(i)_%(s)_a11_4.target.org"
a12.evil.com TXT "v=spf1 include:%(t)_%(i)_%(s)_a12_1.target.org
include:%(t)_%(i)_%(s)_a12_2.target.org include:%(t)_%(i)_%(s)_a12_3.target.org
include:%(t)_%(i)_%(s)_a12_4.target.org"
a21.evil.com TXT "v=spf1 include:%(t)_%(i)_%(s)_a21_1.target.org
include:%(t)_%(i)_%(s)_a21_2.target.org include:%(t)_%(i)_%(s)_a21_3.target.org
include:%(t)_%(i)_%(s)_a21_4.target.org"
a22.evil.com TXT "v=spf1 include:%(t)_%(i)_%(s)_a22_1.target.org
include:%(t)_%(i)_%(s)_a22_2.target.org include:%(t)_%(i)_%(s)_a22_3.target.org
include:%(t)_%(i)_%(s)_a22_4.target.org"
Evil H4x0r sends out a bunch of email to a bunch of MTAs that use
SPF using the envelope-from of bad(_at_)a(_dot_)evil(_dot_)com(_dot_) Each of
these emails
will trigger 16 queries to target.org's DNS server. Since these
queries include things like the time stamp and IP addresses, they will
generally be unique and will not be cached. Yes, they also won't
exist on target.org, but that doesn't help. Yeah, these emails will
cause a little bit of DNS traffic to evil.com also, but they can all
be cached!
Of course, Evil H4x0r can use 10 levels of recursion instead of the 3
shown here, and each of the branching factors can be much larger than
2-4 and still fit into a UDP packet.
I propose that there should be a limit of, say, 4-8 DNS queries in
toto, for all levels of includes and redirects. SPF implementations
MUST NOT query more than this. I also think there should be a limit
to the number of bytes that will be parsed, and that limit be
something like 512-2048.
We have to be very conservative when we are directing one site to
accept directions form a third party which can then tell the site to
go to yet another party.
Thoughts?
-wayne
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡