|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: BCP38 thread 93,871,738,435 + SPF
On Sat, 2006-10-28 at 00:52 -0500, Gadi Evron wrote: > If you believe SPF prevents you from doing it, can you elaborate how? Spam referencing malicious SPF scripts can result in PASS or NEUTRAL, where the message and message rates may be normal. Recipients will not notice the role they are playing in an ongoing attack. There would be few clues, and BCP38 or ACLs will not prevent an SPF attack. >From a victim's perspective, there could be tens or hundreds of thousands of attack sources. No source represents an address of a Botnet. An attack could be composed of A-record transactions for hosts not seen in any message, or related to the domains of any SPF script. These SPF scripts might also later morph to frustrate forensic analysis or real-time blocking. SPF scripts add indirection from what is within a message. An attacking transaction would pass through DNS from one of the hundred thousand recipients. Finding a recipient will not link a DNS transaction to a message. The source of the message may also be a reputable provider. The recipient would need to trace the targets of all associated SPF scripts. A particular SPF script might be one of a hundred other scripts targeting the same victim, however. Analysis designed not to add to an attack can also be seen by the attacker. Nothing in the experimental SPF or Sender-ID RFCs explain how such catastrophic attacks are avoided. Their recommended premature termination of SPF scripts ensures there is no congestion avoidance as well. How would you identify and quell an SPF attack in progress? -Doug
|