North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: ISP phishing
- From: Todd Vierling
- Date: Wed Jun 29 09:59:56 2005
On Wed, 29 Jun 2005, Peter Corlett wrote:
> > Actually, what you have to guarantee is that you never send email to
> > anyone who forwards their email elsewhere. This is impossible.
> How do you figure that?
> The failure mode in this case is if somebody arranges "dumb" mail
> forwarding that doesn't do envelope rewriting, and also applies a SPF
> filter on their incoming mail.
Actually, that's not quite right. The failure mode is if someone arranges
no-rewrite mail forwarding, and mail is sent through that forwarding host
from a domain with a published SPF record ending in "-all".
Or, to put it in steps:
1. firstname.lastname@example.org sends a mail to email@example.com.
"one.example.com" has a SPF record ending in "-all", but the mail at this
point is coming from a SPF-pass host.
2. firstname.lastname@example.org is a dumb forward to email@example.com. The mail
from firstname.lastname@example.org is now coming from an SPF-fail host.
3. email@example.com has SPF filtering turned on. It receives the mail
attempt from firstname.lastname@example.org, but the SPF test fails authoritatively.
The mail is blocked.
This is the single external dependency problem with SPF, such that
forwarding accounts that do not employ SRS or similar botch the whole
scheme. As a result, many end hosts have started putting in local SPF
exceptions for some forwarding hosts that do not implement sender rewriting.
However, many popular forwarding account systems (particularly large ones
like pobox.com and mail.com) have awakened to the failure mode in step 2.
These hosts have either implemented SRS, or changed the envelope-from on
forwarded mail to be something like the forwarding account itself (with loop
detection) or postmaster@.
-- Todd Vierling <email@example.com> <firstname.lastname@example.org> <email@example.com>