On Fri, 2004-01-30 at 04:09, Fridrik Skulason wrote:
The worm authors would of course attempt to get around this. The most
obvious way would be to determine the "real" domain name of the infected
computer, and use that, but make up a new first part of the name.
Oohhh.... I didn't realize something here:
If example.com has only three A records:
@ IN A 10.0.0.1
www IN A 10.0.0.2
ftp IN A 10.0.0.2
And spf records:
@ IN TXT "v=spf1 a mx -all"
www IN TXT "v=spf1 a mx -all"
ftp IN TXT "v=spf1 a mx -all"
Then if someone forges mail from their own IP address:
o The spf tests for mail froms of "user(_at_)example(_dot_)com" return FAIL.
o But the spf tests for mail froms of
"user(_at_)support(_dot_)example(_dot_)com"
will return UNKNOWN, (even though support.example.com doesn't
exist and a "host support.example.com" returns NXDOMAIN.)
So if the DNS admin puts in a wildcard record for *.example.com:
* IN TXT "v=spf1 -all"
Now spf tests for mail froms of "user(_at_)support(_dot_)example(_dot_)com"
will return
FAIL.
Unfortunately "host support.example.com" no longer return NXDOMAIN
errors. Shades of verisign sitefinder here. :-(
In any event, having to make my nonexistent subdomains no longer return
NXDOMAIN results on dns queries in order for spf queries to fail for
them seems...strange.
Should the spec specify that spf tests MUST return FAIL on domains
without an associated a or mx (or spf (?)) records?
The FAQ does suggest that "The envelope sender domain must have either
an A or MX record" as a test to run before the MTA even bothers to run
spf tests. I take it then that there was a previous consensus then that
the spf tests themselves should not incorporate this check?
(I guess I can understand it both ways; the current way doesn't put
words in a domain owner's mouth, but.. it still feels odd.)
--
Mark Shewmaker
mark(_at_)primefactor(_dot_)com
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡