Spamhaus...

Wed Feb 24 13:21:59 UTC 2010

On Sun, Feb 21, 2010 at 10:59:08PM -0600, James Hess wrote:
> But if the origin domain has not provided SPF records,  there are some
> unusual cases left open,  where a bounce to a potentially fake address
> may still be required.

Third time: SPF plays no role in mitigating this.  Nothing stops an
attacker from using a throwaway domain to send traffic to known
backscatterers, who will then backscatter it to $throwawaydomain,
whose MX's are set to $victim's MX's.  This is not a hypothetical, BTW,
and there are a number of more interesting attack scenarios that I'll leave
as an exercise for the reader.  (Some of these have been discussed in
detail on spam-l, and may be found in the archives.)

However, even if SPF is in play, a surprising (and perhaps disturbing)
number of mail operations authenticate users but then do not require
that the sender match the authenticated user.  This permits the attacker
to use joe at example.com to target sue at example.com with backscatter, if
the user-part can be set independently.  (Even if sue at example.com does
not exist, it still permits targeting of example.com.)  And if the domain-part
can be set independently, then obviously third parties can be targeted.
(Again, see the archives of spam-l where all of this has been analyzed
and discussed in great depth.)

Yes, yes, yes, we can argue that some of this is bad mail system practice
on the part of example.com, and we can argue that this is bad security
practice on the part of joe, and both of these arguments have merit,
but it's one the first principles of abuse control that abuse should
always be squelched where possible, never passed on, reflected or even
worse, amplified.   A little transient schadenfreude might feel good,
but it's poor operational practice -- it's never appropriate to respond
to abuse with abuse.

---Rsk