spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Question on how things work

2004-06-09 19:00:38
from [wayne] [Permanent Link] 
In <MHEGIFHMACFNNIMMBACAKEJCIAAA(_dot_)sethg(_at_)GoodmanAssociates(_dot_)com> 
"Seth Goodman" <sethg(_at_)GoodmanAssociates(_dot_)com> writes:


From: wayne
Sent: Wednesday, June 09, 2004 7:54 PM


In <40C30C10(_dot_)8080805(_at_)whipple(_dot_)org> Weldon Whipple
<weldon(_at_)whipple(_dot_)org> writes:


Meng Weng Wong wrote:


 mengwong._spf.pobox.com TXT "v=spf1 a:dumbo.pobox.com -all"
    user1._spf.pobox.com TXT "v=spf1 include:earthlink.net ?all"
    user2._spf.pobox.com TXT "v=spf1 include:verizon.net ?all"


If a domain implements the above, is there any way to prevent a spammer from
reading that domain's SPF record and realizing, "I can send mail as
user1.pobox.com from any trojaned host in Earthlink, as long as I make the
mail go through Earthlink's smarthosts, and it will give an SPF neutral
result, which will help it get delivered"?  I don't know if I'm framing the
question right, but is there any way to prevent zone transfers of just the
TXT records of a domain to prevent this kind of attack?


I'll answer your second question first: Most domain owners that I know
of don't allow zone transfers to anyone but trusted servers.  However,
even if a zone transfer is blocked, that doesn't stop someone from
doing a dictionary attack.


So, yes, the above records leaves a hole for spammers to use
user1(_at_)pobox(_dot_)com(_dot_)  How large the hole is depends on how well 
Earthlink
controls their customers and smarthosts.  You could close the hole up
some by using an specialized DNS server and the exist: mechanism that
does the checking, but this costs more and still doesn't completely
prevent dictionary attacks.


This is a trade off of convenience vs security.  Part of the trade off
is the question "how much is it worth to someone to be able to spoof
user1(_at_)pobox(_dot_)com compared with just going and spoofing some email
address that doesn't have an SPF record?"  For most people, spoofing
random pobox.com email addresses is close to worthless.  In cases
where it is useful, those email addresses shouldn't do things like
include:earthlink.net.



-wayne
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Question on how things work, Seth Goodman
Next by Date:  RE: Forking SPF into The New SPF and SPF1, Stuart D. Gathman
Previous by Thread:  RE: Question on how things work, Seth Goodman
Next by Thread:  RE: Question on how things work, Seth Goodman
Indexes:  [Date] [Thread] [Top] [All Lists]