----- Original Message -----
From: "Jim Ramsay" <i(_dot_)am(_at_)jimramsay(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, February 26, 2004 10:12 AM
Subject: [spf-discuss] Re: Possible SPF machine-domain loophole???
I do not read any of this saying "SPF checks to see if the connecting IP
address matches the "A" record returned by a lookup of the FQDN of the
HELO response". It says "SPF uses the TXT record returned by the HELO
response instead of that from the domain name from the envelope sender
in the case of the return address "<>" which has no domain name".
Hi Jim.
Correct, I am not saying it does. But instead the specs "lacks" the
functional description or requirement for it to be done - hence the
loophole.
We used DMP before to stop this loophole. DMP is another LMAP proposal. It
address both issues. SPF is better because it requires just 1 record per
domain. DMP requires many records.
Since we implemented SPF, I had disabled DMP thinking I didn't need it
anymore.
Yesterday (Feb 25), we got 6 transactions which exploited the SPF loophole.
Here is a summary of the transaction logs:
**************************************************************************
SMTP log started at Wed, 25 Feb 2004 13:23:50
Client IP: 206.66.146.23 (unknown)
13:23:51 C: EHLO santronics.com
13:23:51 C: MAIL FROM: <reynoldcgin(_at_)altavista(_dot_)com>
13:23:51 C: RCPT TO: <andrea(_dot_)santos(_at_)santronics(_dot_)com>
**************************************************************************
SMTP log started at Wed, 25 Feb 2004 13:38:20
Client IP: 206.66.146.23 (unknown)
13:38:20 C: EHLO santronics.com
13:38:21 C: MAIL FROM: <fyrepup1(_at_)excite(_dot_)com>
13:38:21 C: RCPT TO: <andrea(_dot_)santos(_at_)santronics(_dot_)com>
**************************************************************************
SMTP log started at Wed, 25 Feb 2004 13:38:20
Client IP: 206.66.146.23 (unknown)
13:38:20 C: EHLO santronics.com
13:38:21 C: MAIL FROM: <root(_at_)remedyus(_dot_)reston(_dot_)tnsi(_dot_)com>
13:38:21 C: RCPT TO: <support(_at_)santronics(_dot_)com>
**************************************************************************
SMTP log started at Wed, 25 Feb 2004 13:56:42
Client IP: 206.66.146.23 (unknown)
13:56:43 C: EHLO santronics.com
13:56:45 C: MAIL FROM: <services_corporate_division(_at_)nai(_dot_)com>
13:56:45 C: RCPT TO: <support(_at_)santronics(_dot_)com>
**************************************************************************
SMTP log started at Wed, 25 Feb 2004 14:03:04
Client IP: 206.66.146.23 (unknown)
14:03:04 C: EHLO santronics.com
14:03:05 C: MAIL FROM: <edmund(_dot_)tham(_at_)2gotrade(_dot_)com>
14:03:05 C: RCPT TO: <andrea(_dot_)santos(_at_)santronics(_dot_)com>
**************************************************************************
SMTP log started at Wed, 25 Feb 2004 14:32:28
Client IP: 206.66.146.23 (unknown)
14:32:28 C: EHLO santronics.com
14:32:29 C: MAIL FROM: <gwesoloski(_at_)driehaus(_dot_)com>
14:32:29 C: RCPT TO: <support(_at_)santronics(_dot_)com>
All of these transactions were protected by DMP. DMP specs say:
1) check for MAIL FROM domain DMP record, if none,
2) check for HELO/EHLO domain DMP record.
SPF only checks for HELO/EHLO if MAIL FROM: is NULL.
My suggestion for a "change in SPF lookup logic" is to return the #1 benefit
that all LMAP proposals provide - at a minimum check for Local Domain HELO
Spoofing and optional as a system implementation option, check for remote
domain HELO spoofing. You don't have control of remote configurations with
unknown domains and results. But you do have full control of your own setup
and you definitely don't want others using your domain names in the
transaction. That is an easy trap - which SPF has a loophole in checking
when the return path is not local and not null.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com