spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Using CBV

2006-02-17 19:53:54
"David Mazieres (no direct replies)" 
<dm-list-spf(_at_)scs(_dot_)stanford(_dot_)edu> wrote in

Okay, maybe this is the confusion...  Does this describe what's
happening?

  - Machine A is sending mail "from" address user(_at_)example(_dot_)com to
    machine B.

  - You check whether example.com is running an open relay.

  - You *don't* explicitly check whether machine A is an open relay.


No. Hmmmm, I am failing to understand why this is difficult to grasp.

If that's the case, the check would seem to be of limited utility
unless A also happens also to be the mail exchanger for example.com.

I just showed you a LOG showing where it does work and that was an old log
that first cropped up from a simple grep.  And you still say it is limited
utility?  :-)

Aain, this is a fundamental principle in SMTP, it is worth repeating:

The standard "Rule of Thumb" in SMTP is:

    - Local Domain recipients do not need authentication to relay
    - Remote domain recipients need authentication to relay.

Restated:

   - A non-authenticated sender is only allowed to send local mail.
   - Sender Authentication is required to send remote mail.

If this fundamental and essential standard mode of SMTP operation is
violated then you have an "open-relay" issue which means anyone can send
mail to remote sites via this open-relay site.

But at least the scheme, as I now understand it, doesn't risk loops.

Just consider. a CBV is just another SMTP session. Just like if you replied.
There is nothing special about  it because it works with 100% backward
compatibility functionality.   So if you follow the specs, the BCP, it
should always work.    That has nothing to do whether the return path is
really a "bad person" or a zombie site.  But that it is only valid at the
moment it is presented.  Not later, not today. At the moment it is
presented.

Well, it's not an issue now because CBV hasn't been that widely
deployed.

Its widely deploy among thousands of our customer base and its network of
users.  If they haven't experience a problem by now, I doubt it will
tomorrow.

There are many vendors using CBV, atleast 5-6 vendors and software products.
It is more widely deployed then one wishes to acknowledge.

If everyone did CBV, it would allow a new kind of "reflector" attack.

Possibly.

But then again, this happens right now without a CBV because a CBV is just
another SMTP session just the millions of slamming connections a sites
already gets.  You have no clue what the intent of that connecting sender
is.

And yes, there is disseminating first done before a CBV action is taken. It
is not the only tool one should use.  It needs to be augmented with other
things, like an SPF.

Anyway, thanks for the comments.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com


-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com

<Prev in Thread] Current Thread [Next in Thread>