spf-discuss
[Top] [All Lists]

Re: header forgery concern...

2004-02-20 14:08:44

----- Original Message ----- 
From: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, February 20, 2004 3:30 PM
Subject: Re: [spf-discuss] header forgery concern...

I think what is more important here is here is #4 and #5.

correction:  I think what is more important here is here is #4 and #6.

Hector Santos, Santronics Software, Inc.
http://www.santronics.com

----- Original Message ----- 
From: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Friday, February 20, 2004 3:30 PM
Subject: Re: [spf-discuss] header forgery concern...


Tomasz,

Its hard to tell for sure, but based on my analysis of your headers and
possible scenarios, here is a summary of what I found:

1) The transaction does not seem to be forged.  If it was, they did a damn
good job. <g>

2) The message originates at ebay.com based on the Message-Id:

3)  Since you masked the target recipient, this took away many possible
security scenarios. Based on the headers, one can only assume that the
final
destination is a yahoo.com host for a yahoo email account.

4)  In the first hop,  if the target for an yahoo account, than it has to
be
authenticated, otherwise it is an open relay.  It could be this could be
an
intranet and thus authenticating is not required.

5) In the first hop, if it is SPF compliant and the return path domain
ebay.com had a SPF record, then it would pass the test because the IP
address and ebay.com network of domains seem to have some association.

6) In the relay to the final destination (yahoo.com),  if it is SPF
compliant and the return path domain ebay.com had a SPF record, then it
would FAIL the test because the IP address and ebay.com network of domains
do not seem to have some association.   So in this case, SPF is fail the
transaction.

Can the message header be forged?

Sure, again, alot depends on the above.  If the validaton is based on just
reading the headers,  well, you have only what is written.   But if the
validation is dynamic at the smtp level, the the forging is less possible.

I think what is more important here is here is #4 and #5.

#4 is important because if it was an open relay, then thats a problem
right
there.  But an open relay is not necessary always "bad."   You have
services
out there that like to offer "forwarding" services, i.e, news email
forwarding to friends what will have a problem with SPF like operations
but
more importantly look like an open relay because they use your returrn
path
address as the original source from their own servers.  So it looks like
an
open relay, but it really isn't.  Of course, they don't help by not
provided
the proper email headers (Sender:, etc)

#5 is important because if everyone was SPF ready,  it would stop this top
of transaction.

Now the question is, is this GOOD?

Yes, from the standpoint that a wide deployed SPF world,  maybe they will
began to create proper sessions and transactions to safey relay mail.

No, if SPF is not widely deployed and accepted and systems do not change
their transactions to be more authenticated and trusted to route and relay
mail.

I hope this helps.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com




<Prev in Thread] Current Thread [Next in Thread>