spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: Possible SPF machine-domain loophole???

2004-02-26 10:40:40
from [Mark] [Permanent Link] 
----- Original Message ----- 
From: "Jim Ramsay" <i(_dot_)am(_at_)jimramsay(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, February 26, 2004 4:13 PM
Subject: [spf-discuss] Re: Possible SPF machine-domain loophole???


Since the "main point" of SPF (in my opinion) is to prevent forgeries of
email addresses, maybe it SHOULD also address forgeries of the HELO
domain in the case where the envelope sender is <>. In the case of the
"<>" address, a forged HELO is very similar to a forged "regular"
envelope sender.


SPF is about matching an IP address against the SPF record of a "string".
Really. :) Whether you take that string from the envelope from, or use the
HELO string, it makes no difference. Since the IP address, lets call it A,
is always a constant in the equation, the "string" we try and match it to,
lets call it B, can be a variable -- a 'rogue' variable, even. Follow me on
a trail, here:

SPF says,

B, the "string", must have an SPF record which includes A, the IP address.

So,

If B, the "string", is bogus, that is: does not really belong to A, then the
faked "B" will not have an SPF record for A, the IP address.

Hence,

B may be invalid; and in being so, compromises nothing!

The domain name taken from the envelope from is also a "string", and
susceptible to the same forgery as the HELO string. In fact, SPF was
designed, *PRECISELY* because B, the "string", is so often a faked. :)

In fact, the sum total of SPF's job description is exactly this: "Take from
either the envelope-from, or the HELO string, an in and by itself totally
untrustworthy variable, string B, match it against our constant A, the IP
address, and see if B lists A in its SPF record."

B's validity, that of the "string", naturally follows from its positive
relationship to A, the IP address; and, conversely, B's invalidity naturally
follows from its negative relationship to A. And since A, the IP address, is
always a constant, we conclude:

B, the "string", need not itself be verified.

I cannot explain it any clearer than this.

Cheers,

- Mark

        System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: Possible SPF machine-domain loophole???, Hector Santos
Next by Date:  General Status of SPF, Laszlo Toth
Previous by Thread:  Re: Re: Possible SPF machine-domain loophole???, Theo Schlossnagle
Next by Thread:  Re: Possible SPF machine-domain loophole???, David Woodhouse
Indexes:  [Date] [Thread] [Top] [All Lists]