spf-discuss
[Top] [All Lists]

Can SPF identify wildcard domain forgery?

2004-08-21 13:11:23
Serious question aimed at helping propogate SPF to personal domains:

My question below boils down to: "is there a syntax for SPF (possibly the macro 
language?) which enables "-all" to be excluded from only some address of a 
domain?"

A common form of e-mail forgery used by spammers is to find domains that have a 
mailbox for *(_at_)domain by taking each domain in their mailing list and 
either attempting to send email to and/or from random(_at_)domain(_dot_)  The 
"from" case is forgery which can not be detected by anti-spam which detect 
non-existent addresses.  The "to" case is probing for existent addresses, which 
can then also be used as "from" addresses in hopes of bypassing the 
recipient(_at_)domain's whitelist.

Obviously this can be indentified by SPF, but *only* if "-all" is present in 
the SPF DNS record.  My question is there a syntax for SPF (possibly the macro 
language?) which enables "-all" to be excluded from only some address of a 
domain?

This is important in my opinion due to confluence of four factors:

(1) It could possibly help speed adoption by possibly millions of domain owners 
(do not know if millions have wildcard mailboxes though) if the owners of such 
domains can stop the wildcard forgery with a simple DNS change, without having 
to take the "next step" (*see below) to insure they are supporting "-all" on 
their valid (desired) addresses.

(2) I predict this form of forgery could become more common once the forgery of 
major domains becomes less effective due to SPF (and other domain-targetted 
anti-forgery proposals).

(3) Obviously a similar result could be accomplished by bouncing all but valid 
(desired) addresses, but such an SPF macro might be a more efficient way and 
thus speed adoption of SPF "-all".  Also the SPF way could stop the forgery 
earlier in the SMTP chain.

(4) In this proposed capacity, the SPF DNS record would be acting more like 
forgery black or whitelist, and it would be portable because in this scenario 
the domain owner never expects to send unforged email from the address range 
under the "-all" restriction, so it really would not matter too much which IP 
was designed by the record (could even have a null IP option, i.e. meaning 
blacklist).

* Note, where "next step" incurs *potential* for false positive risk due to the 
necessity to properly configure and use SMTP AUTH (client and server), 
set/maintain correct IP records in the SPF DNS, and the human error prone 
discipline of where to type an email address, which I outlined in a (now 
closed) debate about SPF vs. SenderKeys:

http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200408/0632.html


-Shelby Moore
http://AccuSpam.com