Spammers Skirt IP Authentication Attempts
Daniel Reed
n at ml.org
Wed Sep 8 20:59:14 UTC 2004
On 2004-09-08T15:15-0500, Robert Bonomi wrote:
) Same thing applies for 'simple' forwarding via sendmails '~/.forward'
) mechanism. the mail server 'accepts' the mail from the original source,
) and then 're-sends' to the new destination. That re-send originates as
) the _forwarding_party_, WITH an 'envelope from' of that forwarding party,
) even though the internal content ofthe message may show a _different_,
) and unrelated, "From" address.
My experience with Sendmail has been that the envelope sender is retained
through /etc/aliases or ~/.forward. I can confirm that qmail's .qmail
definitely retains the envelope sender of the original message.
MAIL From:<user at example.com>
RCPT To:<aliasuser at example.net>
Received: from outgoing.example.com by mail.example.net
Received-SPF: pass: outgoing.example.com allowed for example.com
MAIL From:<user at example.com>
RCPT To:<realaddress at example.org>
Received: from mail.example.net by incoming.example.org
Received-SPF: fail: mail.example.net NOT allowed for example.com
Mailing lists get away with changing the envelope sender because the
original sender does not actually expect to receive DSNs for the message for
individual subscribers. Forwarding sites, on the other hand, can not simply
modify the envelope sender; DSNs *are* expected to track back to the
originating sender through a simple forward.
One proposal is to allow forwarding sites to modify the envelope sender in
such a way as to encode the original envelope sender in the LHS of an
@forwarding.site address. For example:
MAIL From:<bounce-user=example.com at example.net>
RCPT To:<realaddress at example.org>
Received: from mail.example.net by incoming.example.org
Received-SPF: fail: mail.example.net allowed for example.net
A naive scheme would allow for open relaying, however. A widely-deployed
naive scheme could be used by spammers to send mail to arbitrary addresses:
for i in $list; do
mail bounce-$(echo $i | sed s/@/=/)@example.net < myspam
done
At least one anti-spam group has claimed they will list mail servers from
forwarding sites that use such an easily-exploited scheme.
:(
--
Daniel Reed <n at ml.org> http://people.redhat.com/djr/ http://naim.n.ml.org/
1832 Savior214: that sucks that one day your just gonna die and all that
work you did learning stuff just gets a rm -rf
More information about the NANOG
mailing list