[81764] in North American Network Operators' Group
Re: ISP phishing
daemon@ATHENA.MIT.EDU (Todd Vierling)
Wed Jun 29 09:59:19 2005
Date: Wed, 29 Jun 2005 09:58:07 -0400 (Eastern Daylight Time)
From: Todd Vierling <tv@duh.org>
To: Peter Corlett <abuse@cabal.org.uk>
Cc: nanog@nanog.org
In-Reply-To: <d9u3ho$k3p$1@dopiaza.cabal.org.uk>
Errors-To: owner-nanog@merit.edu
On Wed, 29 Jun 2005, Peter Corlett wrote:
> > Actually, what you have to guarantee is that you never send email to
> > anyone who forwards their email elsewhere. This is impossible.
>
> How do you figure that?
>
> The failure mode in this case is if somebody arranges "dumb" mail
> forwarding that doesn't do envelope rewriting, and also applies a SPF
> filter on their incoming mail.
Actually, that's not quite right. The failure mode is if someone arranges
no-rewrite mail forwarding, and mail is sent through that forwarding host
from a domain with a published SPF record ending in "-all".
Or, to put it in steps:
1. foo@one.example.com sends a mail to bar@two.example.com.
"one.example.com" has a SPF record ending in "-all", but the mail at this
point is coming from a SPF-pass host.
2. bar@two.example.com is a dumb forward to baz@three.example.com. The mail
from foo@one.example.com is now coming from an SPF-fail host.
3. baz@three.example.com has SPF filtering turned on. It receives the mail
attempt from foo@one.example.com, but the SPF test fails authoritatively.
The mail is blocked.
This is the single external dependency problem with SPF, such that
forwarding accounts that do not employ SRS or similar botch the whole
scheme. As a result, many end hosts have started putting in local SPF
exceptions for some forwarding hosts that do not implement sender rewriting.
However, many popular forwarding account systems (particularly large ones
like pobox.com and mail.com) have awakened to the failure mode in step 2.
These hosts have either implemented SRS, or changed the envelope-from on
forwarded mail to be something like the forwarding account itself (with loop
detection) or postmaster@.
--
-- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>
