spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Possible SPF machine-domain loophole???

2004-02-23 12:14:53
from [Hector Santos] [Permanent Link] 
Meng (or anyone else who wish to comment),

Please correct me if I am wrong here, but I believe I found a loophole.

Having added support for both DMP and SPF.  The key difference seems to be
DMP checks both; return path and machine domains,  SPF only fallbacks to the
machine domain when the return path domain is NULL.

With DMP,  the logic is to check for the return path domain first of a
DENY=ALLOW/DENY and fallback to the machine domain for possible spoofing.

With SPF,  if I read the specs right,  the logic is to check only the
machine domain iff (if and only if) the return path domain is a null
address.

Well, as I mentioned in a previous message, we are pretty much set on
disabling the DMP support.  However, since I am still analyzing the
overhead/DNS timing issues, I simple turned off the check DMP option and
voila, I now see a few local machine domain spoofing messages come thru (or
transactions) that made it pass the protocol level check.

For example.

In our testing suite, before SPF, the test method order was

    TestOrder        FLT,  DMP, RBL, CBV

FLT is internal white/black list. (Not important),  and DMP was setup just
to check domains in local domain list file (local domains plus known DMP
compliant domains)

With SPF added now,  I turned off DMP and reorder the testing to check RBL
first given that for the time being, RBL is providing 70-80% of the
rejecting,

    TestOrder        FLT,  RBL, SPF,  CBV

A spoof example:

        client ip :   1.2.3.4
        helo  mail.winserver.com
        mail from:  
<foobar(_at_)bad-domain-or-none-softfail-neutral-host(_dot_)com>

Assuming the IP passed the RBL test, the SPF test on the return path domain
returns a result that tells our system to continue testing.  However, now
that DMP is turned off, the client machine domain is no longer checked.

The CBV might or might not catch it,  if not, the biggest benefit that LMAP
based solutions provide of checking for local domain spoofing is now lost
with SPF.

I went over the specs with a fine tooth comb to see if I didn't miss
something here.

Did I miss-read something in the SPF specs in this regard of SPF only
checking for the client machine domain when the return path domain is NULL?

Yes, I fully understand we can implement logic and policy as we see fit, but
I just want to make sure if this is something the specs I missed or should
be more clear with as it can be a loophole.

Remember, again, the biggest benefit the LMAP solutions provide is to check
for Local Domain spoofing.  SPF should not provide a loophole for this.

Your input would be greatly appreciated.
Thanks

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Weekly SPF discussion mailinglist stats for 02/23/04, Wayne Schlitt
Next by Date:  Re: Possible SPF machine-domain loophole???, Meng Weng Wong
Previous by Thread:  Weekly SPF discussion mailinglist stats for 02/23/04, Wayne Schlitt
Next by Thread:  Re: Possible SPF machine-domain loophole???, Meng Weng Wong
Indexes:  [Date] [Thread] [Top] [All Lists]