----- Original Message -----
From: "Kelson Vibber" <kelson(_at_)speed(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, February 26, 2004 8:31 PM
Subject: Re: [spf-discuss] Possible SPF machine-domain loophole???
At 04:45 PM 2/26/2004, Hector Santos wrote:
Again, if you go by the specs, you have a loophole which means that every
SMTP author has to take extra provision to address this specific issue
that is not part of the specs.
It depends on what you mean by "loophole." To my mind, and I suspect to
many people here, a loophole in SPF would be something that would enable a
spammer to cause a failed SPF check to pass instead.
A loophole is one that allows a "check" or "logic" to be bypass where the
"intention" was such the exact situation was not to be allowed in the first
place.
SPF validates a MACHINE as a sender machine. It uses a DOMAIN to associate
the machine with the DOMAIN. That domain from either the return path (MAIL
FROM) or the client machine domain (HELO/EHLO).
A forged HELO string will no more punch through an SPF check than will a
forged Received header. Nor will it cause bounces to go to the forged
domain's real server. It's much less effective at fooling an end user
than
simply forging the From line.
The whole purpose of the "new era" of antispam technology is to address the
problem at the protocol level. No one said that it can't be solved or isn't
solvable using current methods - programmatically or by eyeballing it.
But the purpose of SPF was to stop or protect this very fundamental spoofing
process that occurs all the time. All LMAP based solutions address it .
DMP addressed it. SPF which is written as a "superset" of DMP breaks this
basic feature of LMAP:
From LMAP document:
2 Problem Statement and Scope
LMAP addresses the problem of forgeries in the argument field of SMTP
EHLO/HELO, and SMTP MAIL FROM. It does not use or examine any other
argument of any other field of the SMTP protocol. Specifically, no
information in the body (DATA portion) of an SMTP message is used in
any part of LMAP. Examination, validation, or verification of the
body "From:" is explicitly not part of this proposal, and this
proposal should not be represented as using body "From:".
2.1 What is meant by "forgery"?
In the context of LMAP, "forgery" is defined as:
Forgery: Use of a domain name in the argument field of SMTP
EHLO/HELO, and/or SMTP MAIL FROM, by an SMTP client, without the
knowledge or consent of that domain.
Any consensual use of a domain name is therefore defined to not be
forgery.
Can it be any clearer?
I can see that checking the HELO string against SPF data might provide
some
*extra* benefit, but I would disagree that skipping such a check would
allow forged mail to bypass SPF.
I have provided many real examples where it does.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com