-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
First things first, phishing is a crime. When you tell someone you are
someone you are not, then you are committing a crime. When it involves
money, the stakes are higher. If it crosses state lines or international
borders, again, the stakes are higher. So people who phish from America to
Great Britain and get thousands of dollars from it will eventually get
caught and will eventually be serving long terms in prison.
In order to be successful at phishing, you need to send out millions of
forgeries. All of these forgeries can be traced back to you, the owner and
administrator of the domain. If you have to spend one day in prison for one
forgery, how many years will you spend in prison for millions of forgeries?
When you publish SPF records, you are declaring which servers are allowed to
represent your domain, and you are claiming responsibility for what those
servers send. I think you'll find that phishers that publish SPF are
extremely stupid. The police already have ways to track them down via IP
address. Giving the police a trail through DNS and registrars is like
purposely cutting yourself and leaving a blood sample at the scene of the
crime, or writing down your home address on the wall.
On Wednesday 15 September 2004 01:26 am, David Woodhouse wrote:
Some examples to ponder. A mail arrives at your site from one of my mail
hosts, looking like this:
MAIL
FROM:<SRS0+xx+yy+example(_dot_)com+joeuser(_at_)pentafluge(_dot_)srs(_dot_)infradead(_dot_)org>
and
Received: from [2002:c1ed:8229:10:2c0:f0ff:fe31:e18] (helo=me) by
pentafluge.infradead.org with esmtpsa id
1C7Ej2-0008II-SZ; Tue, 14 Sep 2004 15:56:09 +0100
From: <joeuser(_at_)example(_dot_)com>
It looks like it's been sent by Joe, with SMTP AUTH (that's what the 'a'
means in esmtpsa). But did Joe really send it?
So when someone tells joeuser(_at_)example(_dot_)com that
pentafluge.srs.infraded.org
has been sending email that looks like it is from
joeuser(_at_)example(_dot_)com,
police will show up at the following address:
Admin ID:tuVpxH0osF7vjG9j
Admin Name:David Woodhouse
Admin Organization:n/a
Admin Street1:c/o Red Hat UK Ltd.
Admin Street2:Unit 200, Rustat House
Admin Street3:62, Clifton Road
Admin City:Cambridge
Admin State/Province:Cambs
Admin Postal Code:CB17EG
Admin Country:GB
Admin Phone:+44.1223248854
Admin FAX:+44.1223248829
Admin Email:dwmw2(_at_)redhat(_dot_)com
Which, if the information proves incorrct, then the registrar R11-LROR will
be served a warrant for all information relating to the registration of
INFRADEAD.ORG.
When "David Woodhouse" or whoever he really is gets caught, he will be
charged with whatever laws he has broken by sending an email for
joeuser(_at_)example(_dot_)com and whatever fraud he committed by doing that.
Another mail arrives like this:
MAIL FROM:<joeuser(_at_)example(_dot_)com>
Received: from workstation.example.internal by mx.example.com by
esmtps; Tue, 14 Sep 2004 13:50:59 +0100
Received: from mua (janeevil(_at_)localhost) by
workstation.example.internal
by esmtps; Tue, 14 Sep 2004 13:50:54 +0100
X-Authentication-Warning: workstation.example.internal: janeevil
owned process doing -bs
From: joeuser(_at_)example(_dot_)com
Did _that_ mail come from Joe? SPF passes.
If it didn't, then the people who own example.com will find the police on
their doorstep.
A third mail arrives like this:
MAIL FROM:<joeuser(_at_)hosteddomain(_dot_)com>
Received: from apache by mail.virtualhosting.com with local
id 1C7UuW-0007EB-Lx; Wed, 15 Sep 2004 09:13:04 +0100
From: <joeuser(_at_)example(_dot_)com>
Again SPF passes. Does that one really come from Joe?
If it doesn't, then the people who own hosteddomain.com will find the police
on their doorstep.
A final mail arrives in your _inbox_ like this (I included your own
Received: header this time):
Return-Path: <joeuser(_at_)hosteddomain(_dot_)com>
Received: from mail.virtualhosting.com with esmtps
(helo=hosteddomain.com ident=janeevil) id
1C7V0c-0000lt-Cm; Wed, 15 Sep 2004 09:19:23 +0100
Received-SPF: Pass; mail.virtualhosting.com is designated sender
for hosteddomain.com
From: joeuser(_at_)hosteddomain(_dot_)com
Same question -- did Joe actually send this one?
If it didn't, then whoever controls the DNS records for
mail.virtualhosting.com will find the police on their doorstep.
Note that SPF Classic ignores the headers. The beauty of this is if you get
an email MAIL FROM alwaysspams.com, you can drop it without even checking
SPF records. Any checking of the headers should be in a seperate algorithm
with a seperate checking mechanism.
- --
Jonathan M. Gardner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFBSJBKBFeYcclU5Q0RAr18AKDJyw0Cj+ogbk3LJY29+ars4vxjMQCfSquU
5rY/gpe+W7HYLzzri3EY1sM=
=dZel
-----END PGP SIGNATURE-----