----- Original Message -----
From: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, February 26, 2004 6:35 PM
Subject: Re: [spf-discuss] Re: Possible SPF machine-domain loophole???
Yesterday (Feb 25), we got 6 transactions which exploited the SPF
loophole. Here is a summary of the transaction logs:
Client IP: 206.66.146.23 (unknown)
13:23:51 C: EHLO santronics.com
13:23:51 C: MAIL FROM: <reynoldcgin(_at_)altavista(_dot_)com>
13:23:51 C: RCPT TO: <andrea(_dot_)santos(_at_)santronics(_dot_)com>
Again, bull. Your configuration is broken. Or you do not know how to
interpret the results of an SPF lookup. The above query clearly produces a
"fail" (see below). I ask that you please cease and desist this nonsense.
Sincerely,
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
| altavista.com new: ipv4=206.66.146.23,
sender(_at_)¿=?ÒTÕF?ôööF? vΩ̡R, helo=santronics.com
| reynoldcgin altavista.com localpart is reynoldcgin
| reynoldcgin altavista.com DirectiveSet->new(): doing TXT query on
altavista.com
| reynoldcgin altavista.com myquery: doing TXT query on
altavista.com
| reynoldcgin altavista.com DirectiveSet->new(): TXT query on
altavista.com returned error=, last_dns_error=NOERROR
| reynoldcgin altavista.com DirectiveSet->new(): SPF policy:
+exists:CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com -all
| reynoldcgin altavista.com lookup: TXT
+exists:CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com -all
| reynoldcgin altavista.com lookup: TXT prefix=+, lhs=exists,
rhs=CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com
| reynoldcgin altavista.com lookup: TXT prefix=-, lhs=all, rhs=
| reynoldcgin altavista.com lookup: mec
mechanisms=+exists(CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com) -all()
| reynoldcgin altavista.com evaluate_mechanism:
+exists(CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com) for
domain=altavista.com
| reynoldcgin altavista.com macro_substitute_item: i: field=i,
num=, reverse=, delim=., newval=206.66.146.23
| reynoldcgin altavista.com macro_substitute_item: s: field=s,
num=, reverse=, delim=., newval(_at_)¿=?ÒTÕF?ôööF? vΩ̡R
| reynoldcgin altavista.com macro_substitute_item: h: field=h,
num=, reverse=, delim=., newval=santronics.com
| reynoldcgin altavista.com macro_substitute:
CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com ->
CL(_dot_)206(_dot_)66(_dot_)146(_dot_)23(_dot_)FR(_dot_)reynoldcgin(_at_)altavista(_dot_)com(_dot_)HE(_dot_)santronics(_dot_)com(_dot_)null(_dot_)spf(_dot_)alt
avista.com
| reynoldcgin altavista.com mechanism exists: looking up
CL(_dot_)206(_dot_)66(_dot_)146(_dot_)23(_dot_)FR(_dot_)reynoldcgin(_at_)altavista(_dot_)com(_dot_)HE(_dot_)santronics(_dot_)com(_dot_)null(_dot_)spf(_dot_)alt
avista.com
| reynoldcgin altavista.com myquery: doing A query on
CL(_dot_)206(_dot_)66(_dot_)146(_dot_)23(_dot_)FR(_dot_)reynoldcgin(_at_)altavista(_dot_)com(_dot_)HE(_dot_)santronics(_dot_)com(_dot_)null(_dot_)spf(_dot_)alt
avista.com
| reynoldcgin altavista.com myquery:
CL(_dot_)206(_dot_)66(_dot_)146(_dot_)23(_dot_)FR(_dot_)reynoldcgin(_at_)altavista(_dot_)com(_dot_)HE(_dot_)santronics(_dot_)com(_dot_)null(_dot_)spf(_dot_)alt
avista.com A failed: NXDOMAIN.
| reynoldcgin altavista.com evaluate_mechanism:
+exists(CL.%{i}.FR.%{s}.HE.%{h}.null.spf.altavista.com) returned
| reynoldcgin altavista.com evaluate_mechanism: -all() for
domain=altavista.com
| reynoldcgin altavista.com evaluate_mechanism: -all() returned hit
default
| reynoldcgin altavista.com saving result fail to cache point and
returning.
| reynoldcgin altavista.com macro_substitute_item: S: field=S,
num=, reverse=, delim=., newval=reynoldcgin%40altavista.com
| reynoldcgin altavista.com macro_substitute_item: I: field=I,
num=, reverse=, delim=., newval=206.66.146.23
| reynoldcgin altavista.com macro_substitute_item: xR: field=xR,
num=, reverse=, delim=., newval=asarian-host.net
| reynoldcgin altavista.com macro_substitute: Please see
http://spf.pobox.com/why.html?sender=%{S}&ip=%{I}&receiver=%{xR} -> Please
see
http://spf.pobox.com/why.html?sender=reynoldcgin%40altavista.com&ip=206.66.146.23&receiver=asarian-host.net
Final: "fail".