spf-discuss
[Top] [All Lists]

RE: Attacking Domain Keys

2004-11-29 13:40:11
On Mon, 29 Nov 2004, Seth Goodman wrote:

SPF has limited ability to reject forgeries as long as it relies on SRS to
do forwarding.  There is no way to detect a forged forward with an SRS
return-path, so that is predictably what forgers will do if SPF is widely
adopted.  If you want to reject forgeries before data, you need something
other than SPF+SRS.

Sigh.  A spammer registering a throwaway domain that pretends to
be a forwarder is not much different than a spammer registering a throwaway
domain that send mail directly.  

In both cases, you blacklist the domain to fix it.
In both cases, the rfc2822 From can be anything the spammer desires.
In both cases, they *cannot* forge legitcorp.com.  A MAIL FROM
  of SRS0=FCBFJ44=AB=legitcorp(_dot_)com=user(_at_)spammer(_dot_)com is *not* 
the
  same as a MAIL FROM of user(_at_)legitcorp(_dot_)com - even if it does pass
  SPF until you blacklist it.

A useful policy for many mail recipients is to accept forwards 
(SRS or not) from trusted forwarders only.  Even a big ISP can do this by
providing a web interface to users for listing trusted forwarders - by IP or
HELO name for non SRS forwarders or by domain for SRS forwarders.  The MTA at a
big ISP should wait until after RCPT TO to decide whether a forwarder is
trusted based on the individual recipients profile.  Users should default
to accepting all forwards.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.


<Prev in Thread] Current Thread [Next in Thread>