on 7/26/04 3:47 AM, Chris Haynes at chris(_at_)harvington(_dot_)org(_dot_)uk
wrote:
Here is my PLAN B. This is a completely different technical solution.
"Auto-insertion of a web resource".
Some MTA somewhere in the chain is going to compose a full mail message to go
back to the user, which is to include the explanation text derived from the
TXT record.
We define a particular structure of explanation text, of the form:
http-URL [whitespace any-other-text]
If the explanation text starts with (or is composed entirely of) a valid URL
which starts with "http:", then the referenced resource (Web page / document
etc.) is downloaded by the MTA using an HTTP GET request and is inserted into
the mail message as MIME content.
This downloaded page becomes _the_ explanation that the end-user sees. The
'any-other-text' part of the explanation text is discarded.
I am concerned that such a mechanism might be exploited by an unscrupulous
party to deliver spam. I haven't looked too carefully into whether there
actually are any dangerous exploits for the scheme you describe, but I do
have a simple example that demonstrates the possible nature of an exploit of
the kind that I am worried about.
For example, imagine a spammer forges a fake delivery status notification
(DSN) and sends it to his victim. The spammer is under no obligation to
use the explanation text retrieved from a TXT record, he can simply forge
his own URL in the DSN. His URL would point to a page containing an ad
instead of an actual SPF error explanation, and since the described scheme
replaces the message contents with the downloaded page from the URL, the
user would just see an ad.
-Richard