On Mon, Jun 20, 2005 at 02:58:17AM +0200, Frank Ellermann wrote:
Now find a v=spf1 sender policy permitting this MSA:
trust.example IN TXT "v=spf1 a:mail.hardpass.example -all"
And so you get your bogus PRA-PASS on this "op=auth" MSA:
HELO mail.hardpass.example
MAIL FROM:<newuser(_at_)phisher(_dot_)example>
RCPT TO:<victim(_at_)hotmail(_dot_)example>
DATA
From: somebody(_at_)trust(_dot_)example
...
.
Just the ordinary cross-user forgery. On a system that is
normally good enough for an op=auth HARDPASS. Bye, Frank
So it isn't perfect. At least trust.example allowed a certain host
to use its name. If the mail from isn't checked (by MS) then we
have no protection against bounces anyway, at least now you know
it came from a host related (however loosly) to trust.example
Alex