spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: Hotmail preparing to check SID with spf2.0/pra only?

2005-06-20 02:08:17
from [Alex van den Bogaerdt] [Permanent Link] 
On Mon, Jun 20, 2005 at 02:58:17AM +0200, Frank Ellermann wrote:


Now find a v=spf1 sender policy permitting this MSA:

trust.example IN TXT "v=spf1 a:mail.hardpass.example -all"

And so you get your bogus PRA-PASS on this "op=auth" MSA:

    HELO mail.hardpass.example
    MAIL FROM:<newuser(_at_)phisher(_dot_)example>
    RCPT TO:<victim(_at_)hotmail(_dot_)example>
    DATA 
    From: somebody(_at_)trust(_dot_)example
    ...
    .
Just the ordinary cross-user forgery.  On a system that is
normally good enough for an op=auth HARDPASS.  Bye, Frank


So it isn't perfect.  At least trust.example allowed a certain host
to use its name.  If the mail from isn't checked (by MS) then we
have no protection against bounces anyway, at least now you know
it came from a host related (however loosly) to trust.example

Alex
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenSPF.org domain name still available for this project..., johnp
Next by Date:  Re: Council: Choosing a SPF domain name, johnp
Previous by Thread:  Re: Hotmail preparing to check SID with spf2.0/pra only?, Frank Ellermann
Next by Thread:  Re: Hotmail preparing to check SID with spf2.0/pra only?, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]