[Chris Drake] wrote:
I already tested your "bounce/notification/ORCPT" idea, both with real
and bogus recipients, and SPF properly protects everything in every
case. No 3rd parties get any bounces, nor receipts of any kind.
I also sent a long explanation of this already, which you either
didn't read, or seem to have ignored.
I've send this repro steps to Chris 11 hours ago.
Since there was no follow-up I think that community will benefit.
I've modified original messsage to him only a few.
---
Can you do following:
Consider attacker.com domain has an SPF record "v=spf1 +all" or any other
record marking zombie IP address valid.
Owner of this domain are also has control over of bunch of zombie computers.
Also we have a server that send message delivery notifications named
xxxxxx.ua
(real name hidden in this mailing list message, but was given to Chris to
perform any checks)
Can you connect to relay.xxxxxx.ua port smtp and emulate zombie connection ?
Do "telnet relay.xxxxxx.ua smtp"
And type everything line by line:
--
EHLO Fast_Speed_DSL
MAIL FROM: <Troyaned_user(_at_)attacker(_dot_)com>
RCPT TO: <tag(_at_)xxxxxx(_dot_)ua>
DATA
From: <Troyaned_user(_at_)attacker(_dot_)com>
Delivery-Notification-To: <christopher(_at_)pobox(_dot_)com>
Disposition-Notification-To: <christopher(_at_)pobox(_dot_)com>
Message-ID: Enlarge_Your_Call_Us_At_8_800_123456789
Sender: Troyaned_user(_at_)attacker(_dot_)com
Subject: Enlarge it. Read more on
http://cheap.domain.we.buy.using.stolen.creditcard.com
<empty message>
.
QUIT
--
The SMTP server will validate if IP used by zombie valid for
Troyaned_user(_at_)attacker(_dot_)com and will issue "SPF: pass" result.
But no checks performed on christopher(_at_)pobox(_dot_)com email address.
After message delivered - christopher(_at_)pobox(_dot_)com you will recieve
something
like this immedaitely.
(I've checked this on real-server, in addition to threoretical knowleage
I've)
-------
From: Mailer-Daemon(_at_)xxxxxx(_dot_)ua
Reply-to: <christopher(_at_)pobox(_dot_)com>
Subject: Confirm: 'Enlarge it. Read more on
http://cheap.domain.we.buy.using.stolen.creditcard.com' received
To: <christopher(_at_)pobox(_dot_)com>
X-MDaemon-Deliver-To: <christopher(_at_)pobox(_dot_)com>
X-Actual-From: Mailer-Daemon(_at_)xxxxxx(_dot_)ua
A message which requested delivery confirmation recently arrived
at this server.
Message-Id: <Enlarge_Your_Call_Us_At_8_800_123456789>
To: tag(_at_)xxxxxx(_dot_)ua
From: <christopher(_at_)pobox(_dot_)com>
Subject: Enlarge it. Read more on
http://cheap.domain.we.buy.using.stolen.creditcard.com
Time-Stamp: Mon, 12 Jul 2004 04:23:43 +0300
-------
There is no any information about IP and email address from Attacker.com
zombie message in reflected message.
And a few time after this - read-reciept can arrive to Chris if
tag(_at_)xxxxxx(_dot_)ua will decide to click "Yes" then opened message.
So ?
AGT> My original question was - Do SPF prevent bounce/notification/ORCPT
address
AGT> spoofing ?
Do SPF prevent email christopher(_at_)pobox(_dot_)com from appering in
Delivery-Notification-To header if xxxxxx.ua will perform SFP checks ?
Or you propose is to disable all delivery notifications and bounces ?
What's wrong with xxxxxx.ua server on your opinion ?
Do you wanna leave spammers such an easy way to hide
Are you aware that not only Delivery-Notification-To will generate automatic
messages by mail servers ?
If spammer will contact secondary MX first, but user does not exists on
primary MX,
or mailbox quota reached, or primary MX will never come-up online or a few
others reasons.
Anything from above will result bounces with short text from spammer
delivered to innocent christopher(_at_)pobox(_dot_)com email address.
P.S> If somebody feel non-comfortable that I've started too many threads and
asked a lot of questions - let me know and I will unsubscribe.
Sorry,
--
Andriy G. Tereshchenko
TAG Software
Odessa, Ukraine
http://www.24.odessa.ua