Re: [Asrg] misconception in SPF

Martijn Grooten <martijn.grooten@virusbtn.com> Thu, 06 December 2012 20:47 UTC

Return-Path: <martijn.grooten@virusbtn.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9096B21F8697 for <asrg@ietfa.amsl.com>; Thu, 6 Dec 2012 12:47:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OHHyljRKoZZ6 for <asrg@ietfa.amsl.com>; Thu, 6 Dec 2012 12:47:52 -0800 (PST)
Received: from mx4.sophos.com (mx4.sophos.com [216.47.234.213]) by ietfa.amsl.com (Postfix) with ESMTP id E9FDC21F8507 for <asrg@irtf.org>; Thu, 6 Dec 2012 12:47:50 -0800 (PST)
Received: from mx4.sophos.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id CC7F34E037E for <asrg@irtf.org>; Thu, 6 Dec 2012 20:47:47 +0000 (GMT)
Received: from abn-exch1b.green.sophos (abn-exch1b.green.sophos [10.100.70.62]) by mx4.sophos.com (Postfix) with ESMTPS id 724544E02E7 for <asrg@irtf.org>; Thu, 6 Dec 2012 20:47:47 +0000 (GMT)
Received: from ABN-EXCH1A.green.sophos ([fe80::67:3150:dacd:910d]) by abn-exch1b.green.sophos ([fe80::dc96:facf:3d2c:c352%17]) with mapi id 14.02.0247.003; Thu, 6 Dec 2012 20:47:46 +0000
From: Martijn Grooten <martijn.grooten@virusbtn.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Thread-Topic: [Asrg] misconception in SPF
Thread-Index: AQHN0+ufsqH0dJXpZk22wCV06nTFZ5gMN5L3
Date: Thu, 06 Dec 2012 20:47:45 +0000
Message-ID: <0D79787962F6AE4B84B2CC41FC957D0B20AC6B8F@ABN-EXCH1A.green.sophos>
References: <CAFduga=bjVh+cLLC5xnLR8b=zv7o-QoJtYBCMevEimiPdep0ZA@mail.gmail.com>
In-Reply-To: <CAFduga=bjVh+cLLC5xnLR8b=zv7o-QoJtYBCMevEimiPdep0ZA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.100.64.11]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Asrg] misconception in SPF
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2012 20:47:52 -0000

So, to use a real-world example, what you're saying is that if you want to spoof Twitter, to avoid your email being caught by the -all in Twitter's SPF record, you could use foo.twitter.com as the sending domain and your email wouldn't be blocked because of an SPF fail.

I think that's correct.

You could also use aimport dot no (as some spammer sending a fake Twitter email did an hour ago). That domain doesn't have an SPF record either.

As we're talking about the MAIL FROM in the SMTP envelope, which usually isn't shown to the user, I don't think this is a big problem.

Perhaps your MTA or spam-filter does use the MAIL FROM in its decision whether to deliver the email or not. If it decides to deliver the message because it claims to come from Twitter, uses a subdomain of twitter.com and didn't fail SPF than that's very wrong. But I don't think it's SPF's fault.

Martijn.

________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.