BCP38 thread 93,871,738,435 + SPF

Douglas Otis dotis at mail-abuse.org
Thu Oct 26 20:43:26 UTC 2006

On Thu, 2006-10-26 at 13:03 -0400, Steven M. Bellovin wrote:
> On Thu, 26 Oct 2006 17:07:32 +0200, Florian Weimer <fw at deneb.enyo.de>
> wrote:
> > * Steven M. Bellovin:
> > 
> > > As you note, the 20-25% figure (of addresses) has been pretty
> > > constant for quite a while.  Assuming that subverted machines are
> > > uniformly distributed (a big assumption)
> > 
> > I doubt this assumption about distribution is valid.  At least over
> > here, consumer-grade ISPs (think DSL with dynamic IP addresses) apply
> > ingress filters, while real ISPs don't.  If you're lucky, you get
> > egress filters at some border routers, but it's not standard at all.
> > Customer-facing interfaces are generally unfiltered.
> Those are good points.  It would be interesting to look at the raw AS
> data and see what classes of organizations were represented.
> Unfortunately, that data is not publicly available, according to the FAQ
> for that project. 

Microsoft no longer demands licensing for Sender-ID.  Executing SPF
scripts may become increasingly popular for validating SMTP clients
against MAILFROM, PRA, or perhaps DKIM domains.  SPF scripts can be far
more malicious than even spoofed source reflective DNS attacks.  Dozens
of TXT or hundreds of A record transactions might be invoked by the
recipients of each message.

In addition to MTAs processing SPF script, popular applications like
SpamAssassin executes a different script after an elapsed timeout of 5
seconds.  Such short timeouts eliminate congestion avoidance.  SPF is
analogous to a complex lock where there is no obvious place for a key.
One must trust a stranger to operate their own unique DNS based

The macro capability of this script also allows any element of an
email-address to randomize DNS queries against any unseen victim domain.
SMTP logs may not indicate who initiated an attack, nor indicate when an
attack was in progress.  BCP38 filtering or ACLs on recursive DNS will
not offer protection from this exploit, which can achieve gains much
higher than spoofed source reflective DNS attacks.

Spam being sent through Bot farms has already set the stage for
untraceable DNS attacks based upon SPF.  In addition to taking out major
interconnects, these attacks can:

 a) inundate authoritative DNS;

 b) requests A records from anywhere;

 c) probe IP address, port, and the transaction IDs of resolvers;

While not as bad as eavesdropping, it still places the network and the
integrity of DNS at risk.  All of this while the spam is still being
delivered.  What a productivity tool!

How is this attack detected?

How is this attack avoided?



More information about the NANOG mailing list