spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: MS Puts SID Patents Under Open Specification Promise

2006-11-01 04:57:17
from [Alex van den Bogaerdt] [Permanent Link] 

Please all: verify my scenario. It would be sad if there
is an error in it, or even a typo.


On Tue, Oct 31, 2006 at 08:53:09PM -0700, Devin Ganger wrote:


Does anybody have any pointers to constructing a test case that can clearly
demonstrate this? If I have time, I'd love to be able to get a working demo.
Conferences love a good show and tell.


------------------------------------------------------------------------
Two domains:

example.com
example.net

Use one of them for your RFC821 "MAIL FROM" address,
use the other for your RFC822 "From:" address.

example.com  TXT "v=spf1 ip4:192.0.2.1 -all"
example.net  TXT "v=spf1 -all"

A machine with address 192.0.2.1 connects and says:

1: HELO example.com
2: MAIL FROM:<user(_at_)example(_dot_)com>
3: RCPT TO:<some receiver verifying SPF>        
4: DATA
5: ...
6: From: "me" <user(_at_)example(_dot_)net>
7: ...
8: .

Lines 5 and 7 contain irrelevant stuff.  They do not contain lines
that would make SID not look at line 6.

Result:

-1-  SPF: looks only at lines 1 and 2.  Both match, SPF gives a PASS
-2-  SID/PRA: looks at line 6.  Results in FAIL.

Why has "example.net" published the record as is?  Because example.net
is never used as sender address (RFC821).  That's why.  And this is
what SPF records are about, so this setup is quite clever and quite
legal as far as SPF is concerned.  Without SPF, it is legal as well.

But now we cannot send to hotmail, because MS looks at line 6, not 2.

OK, let's try and opt-out of SenderID:

example.com  TXT "v=spf1 ip4:192.0.2.1 -all"
example.net  TXT "v=spf1 -all"
example.net  TXT "spf2.0/pra ?all"   [TODO: verify and/or correct]

Reasoning: microsoft will use the 3rd TXT record for its protocol, SPF
uses the 1st and 2nd.   This is bad: in stead of opting in, I have to
opt out.  But alas, let's do this anyway.  I publish PRA and opt out.

Not so !!!  Hotmail will not use the spf2.0 record, thus not only does
MS abuse SPF records in a totally wrong way, we can't even opt-out.
------------------------------------------------------------------------

I believe we have seen something similar, years ago, on this list.
Frank if memory serves me well?


regards
Alex

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: 10-20-30, Julian Mehnle
Next by Date:  [spf-discuss] Re: SPF & SenderID, Julian Mehnle
Previous by Thread:  [spf-discuss] Processing limits (was: DNSOP Agenda for San Diego (IETF 67)), Julian Mehnle
Next by Thread:  [spf-discuss] Re: MS Puts SID Patents Under Open Specification Promise, Frank Ellermann
Indexes:  [Date] [Thread] [Top] [All Lists]