> > > Actually, IP Address spoofing is already a problem. Spammers are
> > > stealling portions of IP Address space.
> >
> > Please tell me, how would you go about "stealing" the IP address
> > 195.30.85.225, for example?
>
> There are several methods. Many involve manipulating routing tables on
> intermediate connections, so that the traffic goes to a fake such
> address or is even duplicated to that fake destination so that the
> traffic can be analyzed and parsed for passwords. (I know at least one
> company in Boston that sells a snooping device that will easily
> disassemble and record in separate streams all the traffic of a fully
> loaded 100 MHz Ethernet connection)
>
> Since most routers have no more security than most FTP accounts, using
> default passwords, having little shell scripts or configuration tools
> lying around with the passwords in plain text, and having admins log in
> remotely over unsecured networks to fix problems and sending passwords
> in the clear because they use telnet and few routers support SSH, this
> isn't actually that hard.
Well, those methods could very likely be employed to circumvent
content-bound sender authentication schemes such as DomainKeys, too,
couldn't they? So I think these are general security issues mostly, not
SPF-specific ones.
The key question is whether spammers can easily, over a long period of
time, and on a worldwide scale, take over routers or engage in other
"wiretap" class attacks. See http://www.ietf.org/rfc/rfc3833.txt for an
analysis of these type of threats. So far I have not seen a plausible
scenario.
I added two footnotes to my Wikipedia article at
http://en.wikipedia.org/wiki/Email_Authentication:
{1} IP Address forgery is possible, but generally involves a lower level of
criminal behavior ( breaking and entering, wiretapping, etc.), and these
crimes are neither exciting to a hacker, nor sufficiently risk-free for a
typical spammer.
{2} There have been attacks on DNS servers, but doing this on a large scale
may be orders of magnitude more difficult than spreading zombie infections
among millions of insecure home computers. The much smaller number of DNS
servers could be upgraded to use
<http://en.wikipedia.org/wiki/DNSSEC>DNSSEC if such attacks were to become
commonplace.
I also plan to follow up on Dave Crocker's other suggestions for improving
this article.
-- Dave
************************************************************* *
* David MacQuigg, PhD * email: dmq'at'gci-net.com * *
* IC Design Engineer * phone: USA 520-721-4583 * * *
* Analog Design Methodologies * * *
* * 9320 East Mikelyn Lane * * *
* VRS Consulting, P.C. * Tucson, Arizona 85710 *
************************************************************* *