spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Response to the Bellovin Critique of SPF

2004-01-24 09:52:22
from [wayne] [Permanent Link] 
In <20040124064243(_dot_)GG7601(_at_)dumbo(_dot_)pobox(_dot_)com> Meng Weng 
Wong <mengwong(_at_)dumbo(_dot_)pobox(_dot_)com> writes:


But you are right; some things will break.  If we examined message
headers instead, we would have a different set of problems.  For
example, a system that tries to authenticate the From: header will start
out promising to protect

  From: service(_at_)paypal(_dot_)com (Paypal Customer Service)

but end up vulnerable to an attack of the form

  From: bad(_at_)spammer(_dot_)com (service(_at_)paypa1(_dot_)com)

That is why SPF doesn't want to get anywhere near protecting the headers.


It isn't just something as "obvious" as bad(_at_)spammer(_dot_)com, but phishers
could also use From: headers such as:

   From: service(_at_)paypa1(_dot_)com (Paypal Customer Service)
   From: service(_at_)paypalsecurity(_dot_)com (Paypal Customer Service)
   From: service(_at_)paypal-email(_dot_)com (Paypal Customer Service)
   From: service(_at_)paypa1-email(_dot_)com (Paypal Customer Service)

This list goes on and on.

Phishing is going to be very hard to stop.  However, comparing the
envelope-from with the From: header goes a very long ways.


The cases where this fails are things like mailing lists and
forwarders.  While those cases are hard to solve *in general*, for a
specific user, these can usually be figured out automatically.  People
just don't subscribe and unsubscribe to mailing lists that often, and
they don't switch forwarders very often.  Simply noting a history of a
user receiving mistmatched froms using given envelope-from domain is
is going to be very effective.

SPF validated envelope-froms are also very easy to check against
RHSBLs,  This means that phishers can't create the history of
mismatched froms.


-wayne


-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.4.txt
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: The Case For XML in "Caller-ID for Email", Meng Weng Wong
Next by Date:  Re: SPF design refrozen, Phil Howard
Previous by Thread:  Re: return of softfail, and its sidekick 'none', wayne
Next by Thread:  Re: Response to the Bellovin Critique of SPF, Aredridel
Indexes:  [Date] [Thread] [Top] [All Lists]