On Wed, Dec 17, 2003 at 19:47:11 -0600, wayne wrote:
a11.evil.com TXT "v=spf1 include:%(t)_%(i)_%(s)_a11_1.target.org
include:%(t)_%(i)_%(s)_a11_2.target.org
include:%(t)_%(i)_%(s)_a11_3.target.org
include:%(t)_%(i)_%(s)_a11_4.target.org"
a12.evil.com TXT "v=spf1 include:%(t)_%(i)_%(s)_a12_1.target.org
include:%(t)_%(i)_%(s)_a12_2.target.org
include:%(t)_%(i)_%(s)_a12_3.target.org
include:%(t)_%(i)_%(s)_a12_4.target.org"
a21.evil.com TXT "v=spf1 include:%(t)_%(i)_%(s)_a21_1.target.org
include:%(t)_%(i)_%(s)_a21_2.target.org
include:%(t)_%(i)_%(s)_a21_3.target.org
include:%(t)_%(i)_%(s)_a21_4.target.org"
a22.evil.com TXT "v=spf1 include:%(t)_%(i)_%(s)_a22_1.target.org
include:%(t)_%(i)_%(s)_a22_2.target.org
include:%(t)_%(i)_%(s)_a22_3.target.org
include:%(t)_%(i)_%(s)_a22_4.target.org"
Evil H4x0r sends out a bunch of email to a bunch of MTAs that use
SPF using the envelope-from of bad(_at_)a(_dot_)evil(_dot_)com(_dot_) Each
of these emails
will trigger 16 queries to target.org's DNS server. Since these
queries include things like the time stamp and IP addresses, they will
generally be unique and will not be cached. Yes, they also won't
exist on target.org, but that doesn't help. Yeah, these emails will
cause a little bit of DNS traffic to evil.com also, but they can all
be cached!
As I'm not yet fully aware how this include works, I might be totally
off... but as far as I can tell you are telling the other MTA it should
ask
20031218131559_1(_dot_)2(_dot_)3(_dot_)4_blah(_at_)foo(_dot_)org_a11_3(_dot_)target(_dot_)org
20031218131600_1(_dot_)2(_dot_)3(_dot_)4_blah(_at_)foo(_dot_)org_a11_3(_dot_)target(_dot_)org
...
up to 16 times...
well, If I open a SMTP connection to the server and say "hey, I'm
foo(_at_)bar(_dot_)net" then my MTA has to check if this domain exists, which
also
causes several DNS lookups
EHLO xxxx
MAIL FROM: <blah(_at_)111(_dot_)target(_dot_)org>
RSET
MAIL FROM: <blah(_at_)112(_dot_)target(_dot_)org>
The questions that remains is, how much traffic can you get generated
which the amount you generate - I'm not a security expert, so I don't
know what ratios are normal or acceptable (I would consider 1:4 still
harmelss... but that's me)
I propose that there should be a limit of, say, 4-8 DNS queries in
toto, for all levels of includes and redirects. SPF implementations
MUST NOT query more than this. I also think there should be a limit
to the number of bytes that will be parsed, and that limit be
something like 512-2048.
I'm not a DNS expert either... so I don't know if there are any
limits on the DNS site.. but I want to point out that you should be
carefull with limits - we are here in a "lab-environment", but in the
"wild" might be configurations that depend on certain "features" or
amounts a protocol allows.... I just want to say: just because I haven't
seen a vulcano, doesn't mean that there aren't any ;)
We have to be very conservative when we are directing one site to
accept directions form a third party which can then tell the site to
go to yet another party.
Agreed!
regards
Philipp
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡