spf-discuss
[Top] [All Lists]

Re: Draft IETF appeal

2005-08-23 18:39:50
wayne wrote:

can you give an example where using the PRA on SPF records
will give an "erroneous PASS"?

Let's assume that I have an account xyzzy(_at_)gmx   GMX is a mail
provider with a no nonsense SPF FAIL policy (checking... yes).

Let's assume that it's a well-behaved MSA, I can submit mails
with Return-Path xyzzy(_at_)gmx, but not e.g. wayne(_at_)gmx (2476 6.1).

So everybody knows that a PASS from GMX is a good PASS.  Now
let's assume that your're an attacker, you get a free account
wayne(_at_)gmx, use it as Return-Path, and you set From: xyzzy(_at_)gmx

The poor hotmail user who's used to take the PRA PASS for real
would get PRA = xyzzy and result PASS.  From a trustworthy MSA
that did nothing wrong, quite the contrary, it followed all
recommedantions in draft-hutzler and draft-schlitt.

By "erroneous", I mean case where a domain the domain owner
determined by the PRA algorigthm is given a PASS when it
would not have PASSes if it was found in the return-path.

No, it's not that bad.  But still a serious case of cross-user
forgery:  GMX could publish op=auth (Scott's "HARDPASS", 2476
enforced submission rights) for its MSA.  This works for SPF,
but not PRA.

Maybe I should add this to the op= memo, auth + pra at the same
time won't work as expected.
                               Bye, Frank



<Prev in Thread] Current Thread [Next in Thread>