On Wed, 2005-03-23 at 17:59 -0500, Mark Shewmaker wrote:
On Wed, Mar 23, 2005 at 04:21:39PM -0600, Andy Bakun wrote:
Consider example-spammer.com's record:
v=spf1 mx:%{l} -all
Now, all I need to do is commandeer a bunch of machines with access to
aol.com's or comcast.net's MTAs and send through them with MAIL FROM set
to:
aol(_dot_)com(_at_)example-spammer(_dot_)com
comcast(_dot_)net(_at_)example-spammer(_dot_)com
Well:
o If spammers forge mail as being from domains with strict (ending in
"-all") spf records, and their mail doesn't authenticate, we can reject
their messages as obvious forgeries.
In this example, the mail is not forged at all, or at least the
definitions of "forged" are stretched. example-spammer.com doesn't need
to do anything to handle increased load on their DNS servers because the
SPF TXT record is static and doesn't reference the example-spammer.com
domain. All queries go to the DNS servers of the domain they have
zombies on. These zombies could be smart enough to figure out what to
put on the LHS of the MAIL FROM based on which network they are on.
This may be as simple as doing a PTR lookup on their interface's IP,
searching the registry for known MTA IPs, doing MX look up for the
domain they are in and dropping mail off on those MTAs (which may not
require SMTP AUTH to use).
o If spammers *do* authenticate themselves, say by the rules of their
own published spf records, we can reject based on their domain names.
So it would be very convenient if example-spammer.com did the thing you
suggest above, as their domain would make it into domain-name blocklists
even more quickly.
Yes, so this is good, but we're talking about abuses of the system here.
What is an acceptable level of abuse?
Of course, they could just make things easier on
themselves and everyone else by simply publishing "v=spf1 +all".
I'm not sure why a spammer would want to make things easier on everyone
else.
In any event, do you know of any cases in which allowing macros to end
in things other than %d wll create a problem for mailservers or for
legitimate uses of mailservers?
I can not think of one, but that doesn't mean one doesn't exist. If a
legit use did exist, it might still be in the best interests of avoiding
abuses by disallowing it -- this just means additional DNS setup for
those people who would require it (by using a delegated subdomain, for
example).
Someone who has collected some SPF record stats would be best able to
answer:
* are there significant uses of macros in SPF records at this
time?
* does anyone seem to have a legit use of a non-%{d} macro on the
rightmost end of domain-spec?
(I don't see how in your example above
what advantage example-spammer.com would gain by using the sort of txt
record you suggest.)
The advantage is that it is not obviously "completely open" like a +all
record would be, and it's an attack on DNS services using SPF record
evaluators, if the spammer was out to attack DNS or SPF (to discourage
people from enforcing SPF). In sending their spam, I suppose they don't
gain much, other than that the record at least "appears" legit, so
admins might be slow to add the domain to blacklists. This may let more
spam through that isn't technically forged email before someone does
take action.
--
Andy Bakun <spf(_at_)leave-it-to-grace(_dot_)com>