spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Possible SPF machine-domain loophole???

2004-02-25 19:19:23
from [Hector Santos] [Permanent Link] 

----- Original Message ----- 
From: "Greg Connor" <gconnor(_at_)nekodojo(_dot_)org>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, February 25, 2004 7:07 PM
Subject: Re: [spf-discuss] Possible SPF machine-domain loophole???



--Hector Santos <winserver(_dot_)support(_at_)winserver(_dot_)com> wrote:

In each case, SPF would by pass the spoofing of the winserver.com

domain.

That is not a badly configured server, but one that is maliciously
spoofing the helo domain by using our local domain, winserver.com



Hector-  Thanks for the explanation.  I believe a number of other people

on

this list have addressed your concerns more effectively than I could.  The
most I could really do is to repeat the statement already made multiple
times: checking HELO is not the design goal of SPF.


Straight from the SPF Draft:

2.2.1 Terms

   This section defines important terms.  They can be thought of as
   variables in an SPF client.  It is crucial that they be interpreted
   correctly.

   It is RECOMMENDED that the <responsible-sender> be drawn from the
   envelope using this algorithm:

     The <responsible-sender> comes from the domain name of the "MAIL
     FROM" envelope sender.  When the envelope sender has no domain, a
    client MUST use the HELO domain instead.  If the HELO argument does
     not provide an FQDN, SPF processing terminates with "unknown".

also...

8.3 Conformance with regard to sending e-mail systems

   To be considered SPF-conformant, an SMTP sending host MUST resolve a
   "pass" for all the SPF-conformant domains for which it sends mail.

   When an SMTP host sends a message delivery status notification
   message, it MAY use the null envelope sender:

     MAIL FROM: <>

   The sender host's HELO/EHLO command string MUST include the Fully
   Qualified Domain Name of the sender host, and an SPF record MUST
   exist for that FQDN for the host to be considered SPF-conformant.

   For example: in a transaction with

      HELO mx01.example.com
      MAIL FROM: <>

   an SMTP+SPF receiver will perform an SPF query of the form

      mx01.example.com TXT

   and expect a result such as

      "v=spf1 ptr:example.com -all"
   or
      "v=spf1 a -all"


You can't have it both ways.

Thanks for your input.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Possible SPF machine-domain loophole???, Greg Connor
Next by Date:  ANNOUNCE: Mail::SPF::Query 1.992 and 1.993 released with Caller-ID support, Meng Weng Wong
Previous by Thread:  Re: Possible SPF machine-domain loophole???, Greg Connor
Next by Thread:  Re: Possible SPF machine-domain loophole???, Greg Connor
Indexes:  [Date] [Thread] [Top] [All Lists]