spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Some thoughts about spam and SPF

2004-08-25 13:14:44
from [Seth Goodman] [Permanent Link] 
From: Guy
Sent: Wednesday, August 25, 2004 9:53 AM


Anyone using mail servers on these addresses:
81.221.18.144/29 could fake
email from pamho.net.

If you own then, then you are save.

But if the IP addresses are blacklisted then you may have
trouble getting
people to accept email anyway.

Guy


Guy,

These are Roger's IP's.  Four of them are his DSL connections, some of
the others are internal machines and the ones that send mail have
matching forward and reverse DNS.  No one else can send mail from those
IP's.

Roger's challenge to Shelby, below, was given his SPF record using the
exists mechanism, please deduce an address that you can forge.  If you
try, you will find that you cannot read the DNS zone for ses.pamho.org
which contains the permissible LHS addresses.  You can do a dictionary
attack on his nameservers, if you were so inclined, and you may
eventually get some user names, though you probably have to know French,
German, Swiss German and some local dialects to pull it off.  Even armed
with this information, unless you can send the mail from his IP range,
which you can't, it won't pass SPF on the originating hop.

Now, there is a bone to pick with forwarded messages, but that's a whole
separate topic with a separate solution.  My basic point and probably
Roger's as well, is if you set up DNS correctly as Roger has shown, the
exists mechanism is a safe way to control user access, among many other
useful things.

It is effectively a command that let's you do a lot of things that were
not included in the SPF spec.  As long as there are sensible DNS
recursion limits, you can't really break anything with it that I am
aware of.  It is probably the most powerful SPF command, though not the
easiest to understand because it requires macros to make it work.  Have
a look at it.

--

Seth Goodman



From: Roger Moser
Sent: Wednesday, August 25, 2004 8:28 AM

Shelby wrote:


As long as they do not use "exists" to specify specific users.

Using "exists" to specify users will tell a spammer which
addresses to spam and forge (because not every recipient
will be SPF protected for years).


The SPF record of pamho.net uses "exists":
v=spf1 exp=exp.pamho.net ip4:81.221.18.144/29
exists:%{l}.ses.pamho.org -all

Now tell me what addresses the spammer can forge.

Roger
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Suggest New Mechanism Prefix NUMBER to Accelerate SPF Adoption, AccuSpam
Next by Date:  RE: Suggest New Mechanism Prefix NUMBER to Accelerate SPF Adoption, AccuSpam
Previous by Thread:  RE: Some thoughts about spam and SPF, Guy
Next by Thread:  Re: Some thoughts about spam and SPF, AccuSpam
Indexes:  [Date] [Thread] [Top] [All Lists]