spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Possible SPF machine-domain loophole???

2004-02-29 05:07:52
from [Hector Santos] [Permanent Link] 

----- Original Message ----- 
From: "Mark" <admin(_at_)asarian-host(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Wednesday, February 25, 2004 6:55 AM
Subject: Re: [spf-discuss] Possible SPF machine-domain loophole???



In each case, SPF would by pass the spoofing of the winserver.com

domain.

That is not a badly configured server, but one that is maliciously
spoofing the helo domain by using our local domain, winserver.com


To say that SPF has a loophole here, because it does not check the

validity

of the HELO string, is silly, really: the HELO string is simply irrelevant
in all your examples.


What is silly is seeing you having a hard time seeing the problem.


Should AOL switch to 'fail', then I'm sure

"202-178-165-242.cm.apol.com.tw"

[202.178.165.242] will not be a designated mailer. :)


and what it is wasn't a SPF compliant return path domain?

Will you stop all other further checks?




Thats a loophole and if SPF does not address, it forces the MTA software
to perform this check which defeats the purpose of SPF.


If SPF were a "fake HELO check" tool, then it would, indeed, be derelict

in

its duty. However, SPF does something else: it authorizes an IP address to
send mail on behalf of a domain. Sometimes that requires checking the HELO
string; and sometimes it does not. In both cases, however, as in your

above

examples, does SPF perform flawlessly.



No it does not.   Unless your system has additional LOGIC outside of SPF,
you are susceptible to continued spoofing due to the SPF bypass.

Also,  you seem to have very little technical understanding of the
fundamental process and SPF, DMP or basic LMAP specifications.

All LMAP proposals makes the fundamental association of an IP with the
domain. In the case of SPF, it emphasizes on the return path domain (RPD):

            SPF =   IP :: RPD

In order for this to be TRUE,  the machine at IP must be a SPF Compliant
Sender regardless what RPD is used.

In other words, before the SPF question can be asked:

        "Can IP send mail on behalf of domain RPD?"

the more fundamental question needs to be resolved:

        "Can IP send mail?  period!?

because if the IP can not send mail at all, then obviously, it can not send
mail for RPD or anyone else.

Therefore for the IP machine to be compliant, the HELO/EHLO must be valid
and not spoofed. In fact,  LMAP as well as SPF *requires*  all SPF compliant
senders to use a FQDN for the HELO/EHLO.

So for SPF to work, by association the IP with the RPD, the HELO must also
be COMPLIANT as well.

You can't have it both ways.

The only time this is NOT true, is when you have "spoofers" or someone
violation of the specs.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: Possible SPF machine-domain loophole???, Hector Santos
Next by Date:  Re: Re: Possible SPF machine-domain loophole???, Mark
Previous by Thread:  Re: Possible SPF machine-domain loophole???, Mark
Next by Thread:  Re: Possible SPF machine-domain loophole???, Mark
Indexes:  [Date] [Thread] [Top] [All Lists]