From: wayne
Sent: Wednesday, June 09, 2004 9:01 PM
In <MHEGIFHMACFNNIMMBACAKEJCIAAA(_dot_)sethg(_at_)GoodmanAssociates(_dot_)com>
"Seth Goodman" <sethg(_at_)GoodmanAssociates(_dot_)com> writes:
From: wayne
Sent: Wednesday, June 09, 2004 7:54 PM
In <40C30C10(_dot_)8080805(_at_)whipple(_dot_)org> Weldon Whipple
<weldon(_at_)whipple(_dot_)org> writes:
Meng Weng Wong wrote:
mengwong._spf.pobox.com TXT "v=spf1 a:dumbo.pobox.com -all"
user1._spf.pobox.com TXT "v=spf1 include:earthlink.net ?all"
user2._spf.pobox.com TXT "v=spf1 include:verizon.net ?all"
If a domain implements the above, is there any way to prevent a
spammer from
reading that domain's SPF record and realizing, "I can send mail as
user1.pobox.com from any trojaned host in Earthlink, as long as
I make the
mail go through Earthlink's smarthosts, and it will give an SPF neutral
result, which will help it get delivered"? I don't know if I'm
framing the
question right, but is there any way to prevent zone transfers
of just the
TXT records of a domain to prevent this kind of attack?
I'll answer your second question first: Most domain owners that I know
of don't allow zone transfers to anyone but trusted servers. However,
even if a zone transfer is blocked, that doesn't stop someone from
doing a dictionary attack.
Thanks for the answer. I appears that in this case, a dictionary attack
would be particularly hard. Not only does the attacker have to guess the
user name, but they have to guess what the designated foreign domains are
for the user. While is suppose that you could just start with a list of the
largest ISP's and you would have a statistically good chance of guessing the
foreign domain right in a few guesses, it greatly multiplies the number of
dictionary attempts someone would have to make, and thus make it likely that
they will be detected and cut off before they succeed. However, if they do
figure out, by guessing, that a given user name at a domain designates a
given large ISP that has lots of trojaned hosts, they've got it made.
So, yes, the above records leaves a hole for spammers to use
user1(_at_)pobox(_dot_)com(_dot_) How large the hole is depends on how well
Earthlink
controls their customers and smarthosts. You could close the hole up
some by using an specialized DNS server and the exist: mechanism that
does the checking, but this costs more and still doesn't completely
prevent dictionary attacks.
This is a trade off of convenience vs security. Part of the trade off
is the question "how much is it worth to someone to be able to spoof
user1(_at_)pobox(_dot_)com compared with just going and spoofing some email
address that doesn't have an SPF record?" For most people, spoofing
random pobox.com email addresses is close to worthless. In cases
where it is useful, those email addresses shouldn't do things like
include:earthlink.net.
That's probably the best recommendation. If you won't provide your users
with SMTP AUTH (why do so many ISP's and hosting services still resist
this?), it's probably a poor idea to designate any of the large ISP's as
senders for your domain. I suppose knowing where a domain is physically
located, one could look up the major providers in that geographic region and
still proceed with an attack, but this is getting pretty paranoid. If we
actually get to that point, this would indicate that we have pushed the
spammers pretty far and I would consider that a success.
--
Seth Goodman