Hi Andrew,
Here is what would happen, using your own example, when SPF is
switched on, if the trojan tried a direct connection:-
EHLO Fast_Speed_DSL
MAIL FROM: Troyaned_user(_at_)Fast_Speed_DSL_Provider RET=HDRS
ENVID=Enlarge_Your_Call_Us_At_8_800_123456789
550 5.5.0 Scram-spammer
(connection lost)
If the Trojan used the MTA of the victim, it may as well send the spam
directly - it's inside the "defences" of the victims network, so
there's nothing stopping it sending spam that way (ie: no point making
bounces from the same MTA it could have used to send real emails from
anyhow). I can only speak for my MTA (sendmail) on the only test I
did (to fake yahoo recipients) but it "bounces" back to the (verified
by SPF) sender, not to anything in the email headers, and not to any
of the ORCPT addresses. As far as I know, this is the required
behavior according to the RFC's (DSN's go to the envelope sender), so
only broken MTA's might indulge your attack idea?
In other words - (assuming the ISP doesn't verify the actual senders
email address), they could only "bounce" stuff back to "victims" on
the same ISP as themselves (whereas they could still spam anyone using
the same MTA - so I can't see the point?)
Kind Regards,
Chris Drake
Sunday, July 11, 2004, 9:09:47 AM, you wrote:
AGT> I've found there was long discussion about bounces.
AGT> Why there is still nothing in unified specs about delivery notifications
and
AGT> read reciepts ?
AGT> It's trivial to send short messages with spam text in subject like a:
AGT> Connect from "Fast_Speed_DSL" to server thich support develiry
AGT> notification/bounces
AGT> -----------
AGT> EHLO Fast_Speed_DSL
AGT> MAIL FROM: Troyaned_user(_at_)Fast_Speed_DSL_Provider RET=HDRS
AGT> ENVID=Enlarge_Your_Call_Us_At_8_800_123456789
AGT> RCPT TO: <somebody(_at_)Delivery_Notification_Server>
NOTIFY=SUCCESS,FAILURE
AGT> ORCPT=rfc822;our_real_target(_at_)domain(_dot_)tld
AGT> RCPT TO: <onemore(_at_)Delivery_Notification_Server> NOTIFY=SUCCESS,FAILURE
AGT> ORCPT=rfc822;our_real_target(_at_)domain(_dot_)tld
AGT> RCPT TO: <evenmore(_at_)Delivery_Notification_Server>
NOTIFY=SUCCESS,FAILURE
AGT> ORCPT=rfc822;our_real_target(_at_)domain(_dot_)tld
AGT> DATA
AGT> From: <Troyaned_user(_at_)Fast_Speed_DSL>
AGT> Delivery-Notification-To: <our_real_target(_at_)domain(_dot_)tld>
AGT> Disposition-Notification-To: <our_real_target(_at_)domain(_dot_)tld>
AGT> Errors-To: <our_real_target(_at_)domain(_dot_)tld>
AGT> Reply-To: <our_real_target(_at_)domain(_dot_)tld>
AGT> Sender: Troyaned_user(_at_)Fast_Speed_DSL_Provider
AGT> Subject: Enlarge it. Read more on
AGT> http://cheap.domain.we.buy.using.stolen.creditcard.com
AGT> <empty message>
AGT> .
AGT> QUIT
AGT> -----------
AGT> All delivery notifications will come from random pool of mail servers and
AGT> with <> email origin and will pass SPF validation.
AGT> You will be able to block Troyaned_user IP after a while - but everybody in
AGT> the world will continue to recieve delivery notifications,errors or
replyes.
AGT> It's like a DRDoS.
AGT> IMHO, SPF must not limit validation on Mail from but check also all email
AGT> addresses listed as owned by email sender.
AGT> Can you add answer on my question in FAQ or desribe in specs ?
AGT> --
AGT> Andriy G. Tereshchenko
AGT> TAG Software
AGT> Odessa, Ukraine
AGT> http://www.24.odessa.ua
AGT> -------
AGT> Sender Policy Framework: http://spf.pobox.com/
AGT> Archives at http://archives.listbox.com/spf-discuss/current/
AGT> Send us money! http://spf.pobox.com/donations.html
AGT> To unsubscribe, change your address, or temporarily deactivate your
subscription,
AGT> please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com