On Fri, Feb 20, 2004 at 09:45:18AM -0500, Tomasz Konefal wrote:
i got a piece of email today which gave me a bit of a problem. it
may be entirely irrelevant since i don't know everything about the
various SMTP RFCs, but here's my concern. what if a spammer forges the
beginning portion of a mail route. for example, can a spammer send an
email to me and claim to be relaying it for some other entity (like ebay
for example) even though the mail didn't originate at ebay?
All the headers can be forged. The only header you can trust is a Received:
header added by a host that you trust, as long as all the Received: headers
above it are trusted too. This is because a host handling a mail always adds
its Received: header at the very top.
So to analyse the Received: headers, read them from the top down. When you
get
Received: from x.x.x.x by mailhost.yourisp.com
then you can be pretty sure x.x.x.x was the source of that smtp connection.
Any subsequent headers are only as trustworthy as host x.x.x.x. If that host
appears to be the smarthost at a remote ISP (check reverse and forward dns
of x.x.x.x) then you can likely trust that, and use the next Received:
header as the previous source of the message. After that, it could all just
be forgery.
And no, SPF does not help. It does not validate *any* header. It only
validates the envelope sender (SMTP 'MAIL FROM'), which may be placed in a
Return-Path: header at the top of the mail when the final MTA delivers it
into a mailbox.
Regards,
Brian.
for a concrete example, check out the trimmed headers below. can the
host at charterwv.net create an email and fake a header (2) and then
pretend it's relaying for that domain (1)? my concern is that an SPF
lookup checks the sender's domain, but not the relay's. if so, is this
an issue that is addressed or can be addressed with SPF?
thanks,
twkonefal
--
Tomasz Konefal
Systems Administrator
Command Post and Transfer Corp.
416-585-9995 x.349
--snip--
From - Fri Feb 20 09:22:47 2004
X-UIDL: 29cd63a4641c02cff0462b2b3c505c1f
X-Apparently-To: twkonefal(_at_)XXXXXXX(_dot_)XX via 216.136.172.210; Fri, 20
Feb
2004 04:36:04 -0800
Return-Path: <service(_at_)ebay(_dot_)com>
(1) Received: from 68.187.223.20 (HELO
ip-wv-68-187-223-020.charterwv.net) (68.187.223.20)
by mta139.mail.scd.yahoo.com with SMTP; Fri, 20 Feb 2004 04:35:53 -0800
(2) Received: from ebay.com (data.ebay.com [66.135.195.180])
by ip-wv-68-187-223-020.charterwv.net (Postfix) with ESMTP id
89EFC8DC45
for <twkonefal(_at_)XXXXXXX(_dot_)XX>; Fri, 20 Feb 2004 06:35:55 -0600
From: eBay Service <service(_at_)ebay(_dot_)com>
To: Twkonefal <twkonefal(_at_)XXXXXXX(_dot_)XX>
Subject: Ebay Account Update
Date: Fri, 20 Feb 2004 06:35:55 -0600
Message-ID: <101001c3f7ae$86f48d5d$8b8b4a75(_at_)ebay(_dot_)com>
--snip--
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/spf-draft-20040209.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription, please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡