spf-discuss
[Top] [All Lists]

Re: Status of Email Authentication

2005-03-01 09:28:58

----- Original Message ----- From: "Julian Mehnle" <bulk(_at_)mehnle(_dot_)net>
To: <spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
Sent: Tuesday, March 01, 2005 10:14 AM
Subject: RE: [spf-discuss] Status of Email Authentication


Nico Kadel-Garcia wrote:

Since most routers have no more security than most FTP accounts, using
default passwords, having little shell scripts or configuration tools
lying around with the passwords in plain text, and having admins log in
remotely over unsecured networks to fix problems and sending passwords
in the clear because they use telnet and few routers support SSH, this
isn't actually that hard.

Well, those methods could very likely be employed to circumvent
content-bound sender authentication schemes such as DomainKeys, too,
couldn't they?  So I think these are general security issues mostly, not
SPF-specific ones.

Only IP based ones. The SenderID key, in theory, has a cryptographic signature from Microsoft in it linked to the IP, so you'd need the key too.

SPF can also get hornswoggled, since the DNS TXT lookup can get mis-routed to a fake DNS server, but people have tended to notice that sort of thing fairly quickly.