Alex van den Bogaerdt wrote:
Maybe if you write down the relevant headers ...
The MSA is hardpass.example, it checks the MAIL FROM.
You get an account newuser(_at_)phisher(_dot_)example
You can submit mail at this MSA resulting in
HELO mail.hardpass.example
MAIL FROM:<newuser(_at_)phisher(_dot_)example>
RCPT TO:<victim(_at_)hotmail(_dot_)example>
DATA
From: whatever(_at_)you-like(_dot_)example
...
.
The latter (whatever(_at_)you-like(_dot_)example) is the PRA.
Now find a v=spf1 sender policy permitting this MSA:
trust.example IN TXT "v=spf1 a:mail.hardpass.example -all"
And so you get your bogus PRA-PASS on this "op=auth" MSA:
HELO mail.hardpass.example
MAIL FROM:<newuser(_at_)phisher(_dot_)example>
RCPT TO:<victim(_at_)hotmail(_dot_)example>
DATA
From: somebody(_at_)trust(_dot_)example
...
.
Just the ordinary cross-user forgery. On a system that is
normally good enough for an op=auth HARDPASS. Bye, Frank