----- Original Message -----
From: "Jonathan Gardner" <jonagard(_at_)amazon(_dot_)com>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Thursday, July 15, 2004 2:09 PM
Subject: *****SPAM***** [spf-discuss] Re: SPF is not usable as legal measure
against spammers.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 14 July 2004 10:48 am, Nico Kadel-Garcia wrote:
From: "Jonathan Gardner" <jonagard(_at_)amazon(_dot_)com>
How is it possible to lie? Only the domain owners are allowed to
publish
DNS
records for their domain. The domain owners assert via SPF that mail
going through specific servers is their mail. I must be missing the
part where someone else can publish SPF records for you, and claim
mail
servers you don't trust are allowed to send email for you. I don't see
how that is possible.
You lie about your hostname, your IP address, your reverse PTR records,
or take advantage of a less restrictive domain allowed to post as the
domain in question. Or you interfere with the published DNS of the site
in question, since DNS is not overall designed for robust authentication
if other people's zone informatino.
I'm intrigued by this. Maybe you should tell us exactly how you are able
to
lie about these things.
Ahh. Oh, boy, this would take a full tutorial in how BGP works to discuss
the IP blackhole and forgery possibilities, and in the security issues of
DNS implementations to discuss the full ramifications of forging that.
But for example: let's say I target "aol.com" to allow me to send spam in
their name. I buy an address for which I get to publish the PTR, say
10.11.12.13. I set up a PTR record that calles this address
"spamsucker.mx.aol.com".
Voila, I am now able to slip past AOL's SPF records by having a PTR that
points to an mx.aol.com hostname. AOL will get cranky about it if they
notice me doing it, and ARIN will get upset about me creating a PTR to a
domain that I don't own, but there is nothing that demands that PTR's match
*ANY* of the A records for an IP address.
If there are vulnerabilities in the internet that allow you to claim an IP
address that isn't yours. modify reverse PTR records that aren't yours, or
publish DNS records for domains that aren't yours, then we have some major
vulnerabilities that threaten the internet itself.
Please, share your information, we'd be glad to see it.
Modifying ones that aren't yours is a separate story. That's partially done
by breaking into DNS servers (which is often feasible at poorly secured,
small sites), or even playing routing games by publish mutilated BGP routing
tables to route requests for certain DNS servers IP addresses to your fake
server, allowing you to create a fake DNS site unbeknownst to the clients
who've never bothered to examine the results of traceroute. It's even more
fun, and tougher to trace, if you can blackhole the master server of a set
of NS servers and get the other NS servers to pull their slave zones from
your fake master for a zone.
It is inherent to modern implementations of BGP that the tables can be
hand-manipulated, allowing the big ISP's to hand-route things over preferred
connections for security or switchover planning reasons. This capability
carries with it the risk of falsely published routing information: such
routing is sometimes done, even by large ISP's for political reasons such as
blackholinig the www.samspade.org website because its well-organized tools
for tracking spammer's host and upstream connectivity information leads to
too many complaints against those ISP's for them to tolerate, so they
blackhole it.
DNS itself can be implemented in relatively secure ways to prevent this kind
of attack, but few sites actually go to the extra work.