On Fri, 2004-04-16 at 15:13, wayne wrote:
Sorry about being kind of vague on this issue, but, well, I don't
think it would be a good idea to say "hey folks, send several emails
claiming to be from foo(_at_)bar(_dot_)invalid will take down any site that
checks for SPF." This is especially true when at least one of the
issues was rased something like 6 months ago and, to the best of my
knowledge, only libspf-alt isn't vulnerable.
I agree, these issues need to be considered critical and resolved as
such for successful adoption of SPF to take place.
Basically, what implementers need to do is look through their code and
try to prove that the execution time, memory requirements and I/O
requests are always bounded. Then, look through their code and see if
a cracker can use the SPF checks to amplify a DoS attack. Oh, and
look through their code and prove that memory overwrites can not
occur, that there are no uninitialized variables, that no information
from previous checks can leak into current checks, etc.
I recall Meng had mentioned before (and also listed in his timeline) a
phase when major MTA's would become 'certified' SPF compliant. Meng,
you want to elaborate a bit on what exactly this certification will
entail? Perhaps some of our list's more competent developers grouped
together in a review board could certify implementations as well? This
could help reduce security and implementation issues like this as well
as verifying compliance to the spec. The implementation test suite
would fit in very well to this role.
--
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.