spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: SPF-compliant phishing?

2004-09-15 05:09:01
from [Daniel Taylor] [Permanent Link] 
There you go again.

SPF does not validate users. In most of the examples below it is
obvious that the mail is a valid example.com e-mail, whether it is
from the particular _user_ at example.com is another matter.

Get GPG.
Thank you for playing.

David Woodhouse wrote:

Some examples to ponder. A mail arrives at your site from one of my mail
hosts, looking like this:

        MAIL 
FROM:<SRS0+xx+yy+example(_dot_)com+joeuser(_at_)pentafluge(_dot_)srs(_dot_)infradead(_dot_)org>
and
        Received: from [2002:c1ed:8229:10:2c0:f0ff:fe31:e18] (helo=me) by
                pentafluge.infradead.org with esmtpsa id 1C7Ej2-0008II-SZ;
                Tue, 14 Sep 2004 15:56:09 +0100
        From: <joeuser(_at_)example(_dot_)com>

It looks like it's been sent by Joe, with SMTP AUTH (that's what the 'a'
means in esmtpsa). But did Joe really send it? 
Another mail arrives like this:

        MAIL FROM:<joeuser(_at_)example(_dot_)com>
        Received: from workstation.example.internal by mx.example.com by
                esmtps; Tue, 14 Sep 2004 13:50:59 +0100
        Received: from mua (janeevil(_at_)localhost) by 
workstation.example.internal
                by esmtps; Tue, 14 Sep 2004 13:50:54 +0100
        X-Authentication-Warning: workstation.example.internal: janeevil
                owned process doing -bs
        From: joeuser(_at_)example(_dot_)com

Did _that_ mail come from Joe? SPF passes.

A third mail arrives like this:

        MAIL FROM:<joeuser(_at_)hosteddomain(_dot_)com>
Received: from apache by mail.virtualhosting.com with local id 1C7UuW-0007EB-Lx; Wed, 15 Sep 2004 09:13:04 +0100 
        From: <joeuser(_at_)example(_dot_)com>

Again SPF passes. Does that one really come from Joe?

A final mail arrives in your _inbox_ like this (I included your own
Received: header this time):

        Return-Path: <joeuser(_at_)hosteddomain(_dot_)com>
        Received: from mail.virtualhosting.com with esmtps
                (helo=hosteddomain.com ident=janeevil) id
                1C7V0c-0000lt-Cm; Wed, 15 Sep 2004 09:19:23 +0100
        Received-SPF: Pass; mail.virtualhosting.com is designated sender
                for hosteddomain.com
        From: joeuser(_at_)hosteddomain(_dot_)com

Same question -- did Joe actually send this one?



--
Daniel Taylor          VP Operations            Vocal Laboratories, Inc.
dtaylor(_at_)vocalabs(_dot_)com   http://www.vocalabs.com/        
(952)941-6580x203
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: HELO and Unified, william(at)elan.net
Next by Date:  SPF-compliant phishing?, Roger Moser
Previous by Thread:  SPF-compliant phishing?, David Woodhouse
Next by Thread:  SPF-compliant phishing?, Roger Moser
Indexes:  [Date] [Thread] [Top] [All Lists]