spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Hotmail preparing to check SID with spf2.0/pra only?

2005-06-19 17:58:17
from [Frank Ellermann] [Permanent Link] 
Alex van den Bogaerdt wrote:
 

Maybe if you write down the relevant headers ...


The MSA is hardpass.example, it checks the MAIL FROM.
You get an account newuser(_at_)phisher(_dot_)example
You can submit mail at this MSA resulting in

    HELO mail.hardpass.example
    MAIL FROM:<newuser(_at_)phisher(_dot_)example>
    RCPT TO:<victim(_at_)hotmail(_dot_)example>
    DATA 
    From: whatever(_at_)you-like(_dot_)example
    ...
    .
The latter (whatever(_at_)you-like(_dot_)example) is the PRA.
Now find a v=spf1 sender policy permitting this MSA:

trust.example IN TXT "v=spf1 a:mail.hardpass.example -all"

And so you get your bogus PRA-PASS on this "op=auth" MSA:

    HELO mail.hardpass.example
    MAIL FROM:<newuser(_at_)phisher(_dot_)example>
    RCPT TO:<victim(_at_)hotmail(_dot_)example>
    DATA 
    From: somebody(_at_)trust(_dot_)example
    ...
    .
Just the ordinary cross-user forgery.  On a system that is
normally good enough for an op=auth HARDPASS.  Bye, Frank
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Re: Community Vote: Official Project Domains, Alex van den Bogaerdt
Next by Date:  Re: Hotmail preparing to check SID with spf2.0/pra only?, Chris Haynes
Previous by Thread:  Re: Re: Hotmail preparing to check SID with spf2.0/pra only?, Alex van den Bogaerdt
Next by Thread:  Re: Re: Hotmail preparing to check SID with spf2.0/pra only?, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]