spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] Re: draft-otis-spf-dos-exploit

2006-11-02 17:39:45
from [Stuart D. Gathman] [Permanent Link] 
On Thu, 2 Nov 2006, wayne wrote:


One clear error is that he postulates that messages are checked at
the MDA and in the MUA both.  That lets him double everything.


But the SPF records *could* be checked both places, and at each
forwarder hop.


Forwarders are configured by the receiver.  Even if the receiver 
does not keep track (e.g. mail provider with users that configure
their own forwarders), checking SPF for a given domain more than once is a
braindead checking implementation.


Say the attacker can set up a chain of 100 forwarding hops where
a(_at_)a(_dot_)com forwards to b(_at_)b(_dot_)com which forwards to 
c(_at_)c(_dot_)com, etc.  If each
of those forwarders checks the SPF record and yet none of them do SRS,
then *poof*, you have an amplification factor of 100.


The attacker can't set up forwarding hops for the receiver.  Or if he
can, there is a much bigger problem than Dos via SPF.

The attacker could, of course, check SPF on his own domain from machines
under his own control all he wants - but that doesn't count as
"amplification".

Now, if there were a large number of incredibly stupid SPF checking MTAs,
and forwarders that *also* check SPF, but don't do SRS (even though the
recipient is going to check SPF for the same domain again), and the attacker
could get a list of all these bozos, then we could get some amplification
beyond the 100 A queries that MX provides.  If that is the scenario -
then the solution is to help/convince the owners of the stupid MTAs to
get their software fixed.

This does bring up a point.  Forwarders can help by doing SRS for
recipients that won't/can't whitelist them.  The recipients check the
forwarders domain, rather than further amplifying any 3rd party Dos attacks by
rechecking the original sender domain.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flammis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [spf-discuss] Re: MS Puts SID Patents Under Open Specification Promise, Julian Mehnle
Next by Date:  Re: [spf-discuss] Re: draft-otis-spf-dos-exploit, wayne
Previous by Thread:  Re: [spf-discuss] Re: draft-otis-spf-dos-exploit, wayne
Next by Thread:  Re: [spf-discuss] Re: draft-otis-spf-dos-exploit, wayne
Indexes:  [Date] [Thread] [Top] [All Lists]