BCP38 thread 93,871,738,435 + SPF

Douglas Otis dotis at mail-abuse.org
Fri Oct 27 15:48:00 UTC 2006

On Fri, 2006-10-27 at 14:11 +0200, Florian Weimer wrote:
> * Douglas Otis:
> > Spam being sent through Bot farms has already set the stage for
> > untraceable DNS attacks based upon SPF.  In addition to taking out major
> > interconnects, these attacks can:
> >
> >  a) inundate authoritative DNS;
> >
> >  b) requests A records from anywhere;
> >
> >  c) probe IP address, port, and the transaction IDs of resolvers;
> (b) and (c) are not new developments because lots of MTAs already
> perform A lookups on HELO arguments, and MX lookups on sender domains.

Each message's SPF script can prompt for web-site addresses while also
inundating the web-site's DNS with other randomized requests.  Network
gains achieved by each script can reach 70:1, and when instances of
execution (MTA/MUA, MAILFROM/PRA/DKIM, and recipient) are considered,
gains per message may exceed 1000:1 while still permitting delivery and
while not exposing who their victim was.

> > While not as bad as eavesdropping, it still places the network and the
> > integrity of DNS at risk.  All of this while the spam is still being
> > delivered.  What a productivity tool!
> The purpose of SPF, as it is deployed, is to facilitate routing
> solicited bulk email around spam filters.  Look at email.bn.com/IN/TXT
> to get the idea.  This application requires some of the indirection
> features offered by SPF.

The risk is from an amplification achieved by SPF scripts while still
hiding which messages are attacking.

Bulk senders can use APL RRs (42) (see rfc3123) to list the CIDRs of
their SMTP clients without imposing these risks.  Standardized prefixes
such as _smtp-c0 and _smtp-c1 permits chaining signaled with a
"continuation" address-family, as example.  Executing powerful SPF
scripts from strangers is a heavily promoted bad idea that truly needs
to be discouraged.


More information about the NANOG mailing list