Nico Kadel-Garcia wrote:
Julian Mehnle wrote:
Nico Kadel-Garcia wrote:
Since most routers have no more security than most FTP accounts,
using default passwords, having little shell scripts or
configuration tools lying around with the passwords in plain text,
and having admins log in remotely over unsecured networks to fix
problems and sending passwords in the clear because they use telnet
and few routers support SSH, this isn't actually that hard.
Well, those methods could very likely be employed to circumvent
content-bound sender authentication schemes such as DomainKeys, too,
couldn't they? So I think these are general security issues mostly,
not SPF-specific ones.
Only IP based ones. The SenderID key, in theory, has a cryptographic
signature from Microsoft in it linked to the IP, so you'd need the key
too.
"Only IP based ones" -- no. If I can spoof an IP address by hacking
routers, I have a chance at pretending to be one of the ISP's trusted
machines and submit my spam without a need to know the domain secret key.
SPF can also get hornswoggled, since the DNS TXT lookup can get
mis-routed to a fake DNS server, but people have tended to notice that
sort of thing fairly quickly.
The same DNS insecurities that apply to SPF apply to DNS-crypto-based
authentication technologies as well. I can just misroute DNS lookups to
my DNS server which responds with my very own faked domain public key.