spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: Possible SPF machine-domain loophole???

2004-02-29 04:43:05
from [Hector Santos] [Permanent Link] 

----- Original Message ----- 
From: "Mark" <admin(_at_)asarian-host(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, February 26, 2004 8:55 PM
Subject: Re: [spf-discuss] Re: Possible SPF machine-domain loophole???



----- Original Message ----- 
From: "Hector Santos" <winserver(_dot_)support(_at_)winserver(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, February 26, 2004 6:35 PM
Subject: Re: [spf-discuss] Re: Possible SPF machine-domain loophole???



Yesterday (Feb 25),  we got 6 transactions which exploited the SPF
loophole. Here is a summary of the transaction logs:



Client IP: 206.66.146.23 (unknown)
13:23:51 C: EHLO santronics.com
13:23:51 C: MAIL FROM: <reynoldcgin(_at_)altavista(_dot_)com>
13:23:51 C: RCPT TO: <andrea(_dot_)santos(_at_)santronics(_dot_)com>


Again, bull. Your configuration is broken. Or you do not know how to
interpret the results of an SPF lookup. The above query clearly produces a
"fail" (see below). I ask that you please cease and desist this nonsense.




Sorry, Mark.  The only nonsense I see is your denial of a SPF loophole.   It
is obvious you can't see the problem.  If you can't see that, then maybe you
should step back and analysis it better.  In fact,  via direct email,  Meng
has acknowledged the "issue" and is currently deciding on how to best
address it .

More specifically to your nit picking,  the fact is, all the 6 transactions
were all rejected.

The point was that unless a system is SPF compliant,  the current SPF lookup
rule, algorithm, logic, procedure, "specification"  is designed to  BY-PASS
the helo domain checking required by LMAP proposals.    This same is true if
the system is indeed SPF compliant but has a neutral, softfail result.  The
latter is not much as a big issue because it is "presumed" these systems
will eventually go to fail mode.

But again, the LOGIC will bypass any helo spoof checking  which is extremely
important at a minimum for LOCAL DOMAIN spoofing.

Mind you, sure,  you can always add or augment additional logic, like we had
to do.  Why?  Because we also support the LMAP based DMP proposal which does
allow for HELO domain validation.    We turned it (DMP) off when we finally
added SPF and it quite obvious almost immediately how this SPF loophole
allowed for logic that was originally part of the LMAP implementation.

Again,  If you can't see that, then please step back until you do.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Deployment dynamic: LMAP vs MTA registration schemes, David Woodhouse
Next by Date:  Re: Possible SPF machine-domain loophole???, Hector Santos
Previous by Thread:  Re: Re: Possible SPF machine-domain loophole???, Mark
Next by Thread:  Re: Re: Possible SPF machine-domain loophole???, Mark
Indexes:  [Date] [Thread] [Top] [All Lists]