spf-discuss
[Top] [All Lists]

Re: A hole in planned phishing-prevention?

2004-06-03 14:15:25
On Thu, 2004-06-03 at 15:54, Ryan Malayter wrote:
Unless I'm missing something, a message with these properties:

   ENVELOPE-SENDER: someguy(_at_)phisher(_dot_)com  (no RFROM)

   RFC-2822 From: Operations(_at_)FirstNationalBank(_dot_)com
   RFC-2822 Sender: someguy(_at_)phisher(_dot_)com

will pass under the new SPF, assuming phisher.com has valid SPF records.
The responsible sender will be evaluated as phisher.com. The message
will display in many MUAs as something like:

   From: someguy(_at_)phisher(_dot_)com on behalf of
Operations(_at_)FirstNationalBank(_dot_)com

My mother could be fooled by this, thinking phisher.com was somehow
associated with her bank.

Especially if 'someguy(_at_)phisher(_dot_)com' looks legitimately associated to 
the
emulated entity, something like:

     From: dtrammell(_at_)FNB-CustomerService(_dot_)com on behalf of
Operations(_at_)FirstNationalBank(_dot_)com

-- 
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.

-------
Sender Policy Framework: http://spf.pobox.com/

The Inbox Event at the Marriott San Jose features SPF.
   June 2: Email Accountability Symposium (free)
   June 3: SPF Strategy BOF (free) where industry will coordinate deployment 
timeline
   Times: 6:30pm - 8pm, both sessions.  http://www.inboxevent.com/

Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

Attachment: signature.asc
Description: This is a digitally signed message part