spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF and viruses

2004-01-30 05:24:54
from [Mark Shewmaker] [Permanent Link] 
On Fri, 2004-01-30 at 04:09, Fridrik Skulason wrote:


The worm authors would of course attempt to get around this.  The most
obvious way would be to determine the "real" domain name of the infected
computer, and use that, but make up a new first part of the name.


Oohhh.... I didn't realize something here:

If example.com has only three A records:

  @               IN      A       10.0.0.1
  www             IN      A       10.0.0.2
  ftp             IN      A       10.0.0.2

And spf records:

  @               IN      TXT     "v=spf1 a mx -all"
  www             IN      TXT     "v=spf1 a mx -all"
  ftp             IN      TXT     "v=spf1 a mx -all"

Then if someone forges mail from their own IP address:

  o The spf tests for mail froms of "user(_at_)example(_dot_)com" return FAIL.

  o But the spf tests for mail froms of 
"user(_at_)support(_dot_)example(_dot_)com"
    will return UNKNOWN, (even though support.example.com doesn't
    exist and a "host support.example.com" returns NXDOMAIN.)

So if the DNS admin puts in a wildcard record for *.example.com:

  *               IN      TXT     "v=spf1 -all"

Now spf tests for mail froms of "user(_at_)support(_dot_)example(_dot_)com" 
will return
FAIL.

Unfortunately "host support.example.com" no longer return NXDOMAIN
errors.  Shades of verisign sitefinder here. :-(

In any event, having to make my nonexistent subdomains no longer return
NXDOMAIN results on dns queries in order for spf queries to fail for
them seems...strange.

Should the spec specify that spf tests MUST return FAIL on domains
without an associated a or mx (or spf (?)) records?

The FAQ does suggest that "The envelope sender domain must have either
an A or MX record" as a test to run before the MTA even bothers to run
spf tests.  I take it then that there was a previous consensus then that
the spf tests themselves should not incorporate this check?

(I guess I can understand it both ways; the current way doesn't put
words in a domain owner's mouth, but.. it still feels odd.)

-- 
Mark Shewmaker
mark(_at_)primefactor(_dot_)com

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Compliance, Computerized Horizons
Next by Date:  Re: Re: clamav plugin?, Guillaume Filion
Previous by Thread:  Re: SPF and viruses, Alex van den Bogaerdt
Next by Thread:  Re: SPF and viruses, Fridrik Skulason
Indexes:  [Date] [Thread] [Top] [All Lists]