On Sat, 20 Mar 2004, George Herson wrote:
Spammers may spoof entire TCP sequences to get
their mail out.
Knowledgeable people consider this unlikely. If you
think this is a concern, you are invited to
demonstrate an attack."
from http://spf.pobox.com/faq.html to
http://spf.pobox.com/objections.html and expand on why
knowledgeable people consider this attack unlikely. I,
for example, am curious.
Almost all routers at the ISP level and up now have some form of
protection against IP spoofing. For instance, reverse path filtering
will only accept a source IP from an interface to which that IP could
be routed as a destination. For more complex situations, e.g. redundant
routes, you can always list which ip ranges are allowed from each
interface.
These measures are the IP equivalent of SPF - and have made IP spoofing
an activity that requires compromising all routers along the path to
the victim. (Although when attacking a specific target, there is a
good chance some moron working for victim.com has plugged a wireless
AP into the corporate net, and the attack can be carried on with
ease from a laptop in a car.)
So here is a possible attack - which I hereby christen "warspamming":
The spammer purchases a number of small battery powered computers with
wireless. He loads up his van with these, and cruises the city
looking for wireless APs with internet connection and port 25 unblocked
(with or without WEP - cracking WEP is trivial).
When he finds one, spoof a MAC and IP on the wireless net if necessary,
configure one of spam boxes and drop it off in an inconspicous
location. It will use the victims internet connection to pump out spam until
the battery dies. Come by later to pick it up and recharge the battery
for another run.
--
Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Very few of our customers are going to have a pure Unix
or pure Windows environment." - Dennis Oldroyd, Microsoft Corporation