spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: Possible SPF machine-domain loophole???

2004-02-29 05:59:53
from [Hector Santos] [Permanent Link] 

----- Original Message ----- 
From: "Mark" <admin(_at_)asarian-host(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Sunday, February 29, 2004 7:20 AM
Subject: Re: [spf-discuss] Re: Possible SPF machine-domain loophole???




There is no loophole.


There is a loophole.  I proved it many times.


What remains, however, is your failure to grasp how SPF checks against the

HELO string;

How am I failing to "grasp" this?   Can you show how this real world spoof
is protected by SPF?

Client IP: 206.66.146.23
EHLO santronics.com
MAIL FROM: <root(_at_)remedyus(_dot_)reston(_dot_)tnsi(_dot_)com>



It is obvious you can't see the problem.


I cannot see what is not there.


So either you are in denial or don't understand the technical issues behind
it all.   It seems like you are more out to personalized this than to
attempt to get the SPF spec corrected before it is too late.  Me?  I am
trying to get it corrected before SPAMMERS exploit it in mass and defeat the
purpose of SPF.


In fact, via direct email, Meng has acknowledged the "issue" and
is currently deciding on how to best address it.


I'm sure Meng acknowledged that no domain validity checks are done against
the HELO string. I very seriously, and openly, doubt, though, that you got

a

private response from Meng in which he sees this as an SPF loophole.


I don't care what you or anyone else wish to call it.  The fact is, it is a
loophole whether you agree or not.  In fact,  Meng publically declared he
never understood why DMP did it in the first place or why it was deemed
necessary.  This might explain why it fell thru the cracks.   I think I and
others have convinced Meng there is a problem or concern enough to add a new
directive (scope=) and even then I said that isn't necessary.   What needs
to change is the lookup logic for "Local Domain" spoofing.  Follow the
threads to see my suggestion.

        if RPD is LOCAL do normal logic
        if RPD is not local and CDN is local,  check CDN first

thats it, that FIXES the problem and we get the extra SPF benefit over DMP
which required 2 lookups always.  You only need to do it with SPF for local
domain spoofs.   Once everyone has in the widely deployed network, you will
never need to check for remote helo spoofing anyway.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Signed Envelope Sender: SRS on steroids, list+spf-discuss
Next by Date:  Design choice vs loophole, Alex van den Bogaerdt
Previous by Thread:  Re: Re: Possible SPF machine-domain loophole???, Mark
Next by Thread:  Design choice vs loophole, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]