ISP phishing
Todd Vierling
tv at duh.org
Wed Jun 29 13:58:07 UTC 2005
On Wed, 29 Jun 2005, Peter Corlett wrote:
> > Actually, what you have to guarantee is that you never send email to
> > anyone who forwards their email elsewhere. This is impossible.
>
> How do you figure that?
>
> The failure mode in this case is if somebody arranges "dumb" mail
> forwarding that doesn't do envelope rewriting, and also applies a SPF
> filter on their incoming mail.
Actually, that's not quite right. The failure mode is if someone arranges
no-rewrite mail forwarding, and mail is sent through that forwarding host
from a domain with a published SPF record ending in "-all".
Or, to put it in steps:
1. foo at one.example.com sends a mail to bar at two.example.com.
"one.example.com" has a SPF record ending in "-all", but the mail at this
point is coming from a SPF-pass host.
2. bar at two.example.com is a dumb forward to baz at three.example.com. The mail
from foo at one.example.com is now coming from an SPF-fail host.
3. baz at three.example.com has SPF filtering turned on. It receives the mail
attempt from foo at one.example.com, but the SPF test fails authoritatively.
The mail is blocked.
This is the single external dependency problem with SPF, such that
forwarding accounts that do not employ SRS or similar botch the whole
scheme. As a result, many end hosts have started putting in local SPF
exceptions for some forwarding hosts that do not implement sender rewriting.
However, many popular forwarding account systems (particularly large ones
like pobox.com and mail.com) have awakened to the failure mode in step 2.
These hosts have either implemented SRS, or changed the envelope-from on
forwarded mail to be something like the forwarding account itself (with loop
detection) or postmaster at .
--
-- Todd Vierling <tv at duh.org> <tv at pobox.com> <todd at vierling.name>
More information about the NANOG
mailing list