North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ISP phishing

  • From: Todd Vierling
  • Date: Wed Jun 29 09:59:56 2005

On Wed, 29 Jun 2005, Peter Corlett wrote:

> > Actually, what you have to guarantee is that you never send email to
> > anyone who forwards their email elsewhere. This is impossible.
> How do you figure that?
> The failure mode in this case is if somebody arranges "dumb" mail
> forwarding that doesn't do envelope rewriting, and also applies a SPF
> filter on their incoming mail.

Actually, that's not quite right.  The failure mode is if someone arranges
no-rewrite mail forwarding, and mail is sent through that forwarding host
from a domain with a published SPF record ending in "-all".

Or, to put it in steps:

1. [email protected] sends a mail to [email protected]
   "" has a SPF record ending in "-all", but the mail at this
   point is coming from a SPF-pass host.

2. [email protected] is a dumb forward to [email protected]  The mail
   from [email protected] is now coming from an SPF-fail host.

3. [email protected] has SPF filtering turned on.  It receives the mail
   attempt from [email protected], but the SPF test fails authoritatively.
   The mail is blocked.

This is the single external dependency problem with SPF, such that
forwarding accounts that do not employ SRS or similar botch the whole
scheme.  As a result, many end hosts have started putting in local SPF
exceptions for some forwarding hosts that do not implement sender rewriting.

However, many popular forwarding account systems (particularly large ones
like and have awakened to the failure mode in step 2.
These hosts have either implemented SRS, or changed the envelope-from on
forwarded mail to be something like the forwarding account itself (with loop
detection) or [email protected]

-- Todd Vierling <[email protected]> <[email protected]> <[email protected]>