spf-discuss
[Top] [All Lists]

RE: Attacking Domain Keys

2004-11-29 14:34:02
From: wayne
Sent: Monday, November 29, 2004 2:47 PM

<...>

I must be missing something.  Why can't you detect a forged forward
with an SRS return-path?  The forwarder can publish SPF records, just
like everyone else.  Also, a forwarder's SPF record can contain an
exists: mechanism similar to the one in the SES draft in case there
are more forwarders that don't do SRS.

I wasn't specific enough. The forwarder's SPF record is what is checked by
the recipient, not the originator's.  A spammer can take out a throw-away
domain, publish an SPF record and pretend to be forwarding a message from
anyone they want.  That message will always pass SPF, despite the forgery.
This is inherent in the hop-by-hop authentication of SPF.

If you want to only accept SRS-rewritten forwards from whitelisted
forwarders, you can do that but that is more practical for small sites than
large ones.  This approach is even harder to implement at a large site if
there are forwarders that individual customers want to use that are not
acceptable to the service as a whole.

--

Seth Goodman


<Prev in Thread] Current Thread [Next in Thread>