Tomasz,
Its hard to tell for sure, but based on my analysis of your headers and
possible scenarios, here is a summary of what I found:
1) The transaction does not seem to be forged. If it was, they did a damn
good job. <g>
2) The message originates at ebay.com based on the Message-Id:
3) Since you masked the target recipient, this took away many possible
security scenarios. Based on the headers, one can only assume that the final
destination is a yahoo.com host for a yahoo email account.
4) In the first hop, if the target for an yahoo account, than it has to be
authenticated, otherwise it is an open relay. It could be this could be an
intranet and thus authenticating is not required.
5) In the first hop, if it is SPF compliant and the return path domain
ebay.com had a SPF record, then it would pass the test because the IP
address and ebay.com network of domains seem to have some association.
6) In the relay to the final destination (yahoo.com), if it is SPF
compliant and the return path domain ebay.com had a SPF record, then it
would FAIL the test because the IP address and ebay.com network of domains
do not seem to have some association. So in this case, SPF is fail the
transaction.
Can the message header be forged?
Sure, again, alot depends on the above. If the validaton is based on just
reading the headers, well, you have only what is written. But if the
validation is dynamic at the smtp level, the the forging is less possible.
I think what is more important here is here is #4 and #5.
#4 is important because if it was an open relay, then thats a problem right
there. But an open relay is not necessary always "bad." You have services
out there that like to offer "forwarding" services, i.e, news email
forwarding to friends what will have a problem with SPF like operations but
more importantly look like an open relay because they use your returrn path
address as the original source from their own servers. So it looks like an
open relay, but it really isn't. Of course, they don't help by not provided
the proper email headers (Sender:, etc)
#5 is important because if everyone was SPF ready, it would stop this top
of transaction.
Now the question is, is this GOOD?
Yes, from the standpoint that a wide deployed SPF world, maybe they will
began to create proper sessions and transactions to safey relay mail.
No, if SPF is not widely deployed and accepted and systems do not change
their transactions to be more authenticated and trusted to route and relay
mail.
I hope this helps.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
----- Original Message -----
From: "Tomasz Konefal" <twkonefal(_at_)compt(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, February 20, 2004 9:45 AM
Subject: [spf-discuss] header forgery concern...
hello list,
i got a piece of email today which gave me a bit of a problem. it
may be entirely irrelevant since i don't know everything about the
various SMTP RFCs, but here's my concern. what if a spammer forges the
beginning portion of a mail route. for example, can a spammer send an
email to me and claim to be relaying it for some other entity (like ebay
for example) even though the mail didn't originate at ebay?
for a concrete example, check out the trimmed headers below. can the
host at charterwv.net create an email and fake a header (2) and then
pretend it's relaying for that domain (1)? my concern is that an SPF
lookup checks the sender's domain, but not the relay's. if so, is this
an issue that is addressed or can be addressed with SPF?
thanks,
twkonefal
--
Tomasz Konefal
Systems Administrator
Command Post and Transfer Corp.
416-585-9995 x.349
--snip--
From - Fri Feb 20 09:22:47 2004
X-UIDL: 29cd63a4641c02cff0462b2b3c505c1f
X-Apparently-To: twkonefal(_at_)XXXXXXX(_dot_)XX via 216.136.172.210; Fri, 20
Feb
2004 04:36:04 -0800
Return-Path: <service(_at_)ebay(_dot_)com>
(1) Received: from 68.187.223.20 (HELO
ip-wv-68-187-223-020.charterwv.net) (68.187.223.20)
by mta139.mail.scd.yahoo.com with SMTP; Fri, 20 Feb 2004 04:35:53 -0800
(2) Received: from ebay.com (data.ebay.com [66.135.195.180])
by ip-wv-68-187-223-020.charterwv.net (Postfix) with ESMTP id 89EFC8DC45
for <twkonefal(_at_)XXXXXXX(_dot_)XX>; Fri, 20 Feb 2004 06:35:55 -0600
From: eBay Service <service(_at_)ebay(_dot_)com>
To: Twkonefal <twkonefal(_at_)XXXXXXX(_dot_)XX>
Subject: Ebay Account Update
Date: Fri, 20 Feb 2004 06:35:55 -0600
Message-ID: <101001c3f7ae$86f48d5d$8b8b4a75(_at_)ebay(_dot_)com>
--snip--
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/spf-draft-20040209.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡