North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: ISP phishing
On Wed, 29 Jun 2005, Peter Corlett wrote: > > Actually, what you have to guarantee is that you never send email to > > anyone who forwards their email elsewhere. This is impossible. > > How do you figure that? > > The failure mode in this case is if somebody arranges "dumb" mail > forwarding that doesn't do envelope rewriting, and also applies a SPF > filter on their incoming mail. Actually, that's not quite right. The failure mode is if someone arranges no-rewrite mail forwarding, and mail is sent through that forwarding host from a domain with a published SPF record ending in "-all". Or, to put it in steps: 1. [email protected] sends a mail to [email protected] "one.example.com" has a SPF record ending in "-all", but the mail at this point is coming from a SPF-pass host. 2. [email protected] is a dumb forward to [email protected] The mail from [email protected] is now coming from an SPF-fail host. 3. [email protected] has SPF filtering turned on. It receives the mail attempt from [email protected], but the SPF test fails authoritatively. The mail is blocked. This is the single external dependency problem with SPF, such that forwarding accounts that do not employ SRS or similar botch the whole scheme. As a result, many end hosts have started putting in local SPF exceptions for some forwarding hosts that do not implement sender rewriting. However, many popular forwarding account systems (particularly large ones like pobox.com and mail.com) have awakened to the failure mode in step 2. These hosts have either implemented SRS, or changed the envelope-from on forwarded mail to be something like the forwarding account itself (with loop detection) or [email protected] -- -- Todd Vierling <[email protected]> <[email protected]> <[email protected]>
|