IETF Logo Mail Archive

Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review

Amir Herzberg <amir.herzberg@gmail.com> Wed, 27 May 2009 05:57 UTC

Return-Path: <amir.herzberg@gmail.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E5153A6DC3 for <asrg@core3.amsl.com>; Tue, 26 May 2009 22:57:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.054
X-Spam-Level:
X-Spam-Status: No, score=-2.054 tagged_above=-999 required=5 tests=[AWL=0.294, BAYES_00=-2.599, HTML_MESSAGE=0.001, URIBL_GREY=0.25]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DHYY+EEHXUZU for <asrg@core3.amsl.com>; Tue, 26 May 2009 22:57:45 -0700 (PDT)
Received: from mail-fx0-f170.google.com (mail-fx0-f170.google.com [209.85.220.170]) by core3.amsl.com (Postfix) with ESMTP id 413E13A6D57 for <asrg@irtf.org>; Tue, 26 May 2009 22:57:44 -0700 (PDT)
Received: by fxm18 with SMTP id 18so4406568fxm.7 for <asrg@irtf.org>; Tue, 26 May 2009 22:59:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type; bh=ilhoxDx8OxnlZJIKPkRm4EYFnidelzuiDTOdYC+H1b0=; b=lGDHWTDehH+u3NL5lZSH8+u5okNNRs6agXCOUUMIiDTmsMKKfIl1YEop8mnVT5bnyh 2JB3G2vOVGjFhx00p55Yr/XmV4VyqK00Mxj+NY8E7/J/AKbME5fumeZ6OCkC+VG4EkA0 iwlfv1JHXlR99/zL2fi1PW3gcn4kzZuYhtjYA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=Eemfh7SeAZmeG0ZFIBA2LTlpHsee1jLwxtQ1mqD3TTeRIn2YtA89VlAB+dlQF0aKKO Vwu/Roja6KdP+Wa4zyYkTewYcBtLlxbmkwk6HqINJGMXI522kvJVkbscEww9wusy26Z4 bEM9UeJrGdVcIx54oMvKuSJCVXeKEiSmMl/kg=
MIME-Version: 1.0
Received: by 10.103.117.8 with SMTP id u8mr4794239mum.123.1243403965504; Tue, 26 May 2009 22:59:25 -0700 (PDT)
In-Reply-To: <DEC522CE-67F9-41CF-9855-0E3B6BDD0427@mail-abuse.org>
References: <003d01c9dd01$bf3531d0$800c6f0a@china.huawei.com> <4A1A45BA.5030704@swin.edu.au> <3be421270905250718y5d62f6d5odb6f2bebecf418d0@mail.gmail.com> <6684E747-55CB-4BB3-B838-9F4FE906AFE7@mail-abuse.org> <3be421270905251345l1bbe8ce9je5554b727e7440a7@mail.gmail.com> <DEC522CE-67F9-41CF-9855-0E3B6BDD0427@mail-abuse.org>
From: Amir Herzberg <amir.herzberg@gmail.com>
Date: Wed, 27 May 2009 08:59:05 +0300
Message-ID: <3be421270905262259v777cb54jadf4fd9df1c50c6a@mail.gmail.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Content-Type: multipart/alternative; boundary="0016e6570b86ad221b046ade8bcc"
Subject: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2009 05:57:47 -0000

Doug, thanks! I completely agree that applying SPF at the client - or in
fact, anywhere after the border MTA - is probably a very poor idea, due to
the potential exposure to DoS and DNS poisoning exploits. I just didn't
think this people would do it - I'll try to add warning against it. This is
far beyond the question of whether there is also some real goal in doing SPF
validation at this point (client) [referring to Chris's note].

And I agree that it may be worthwhile also mentioning the 10*10
amplification factor for implementations that allow 10 mechanisms where each
could do 10 MX (or PTR) RR lookups, for a total of 100 DNS queries (or I
think actually 111). Notice that again, the use of SPF by multiple mail
agents, e.g. at the client, would provide even further amplification.

Amir

On Tue, May 26, 2009 at 4:23 AM, Douglas Otis <dotis@mail-abuse.org> wrote:

>
> On May 25, 2009, at 1:45 PM, Amir Herzberg wrote:
>
>  On Mon, May 25, 2009 at 6:54 PM, Douglas Otis <dotis@mail-abuse.org>
>>> wrote:
>>> http://amir.herzberg.googlepages.com/somerecentpapers
>>>
>>> This paper refers to DNS poisoning without fully exploring how SPF might
>>> be used to enable DNS poisoning.  SPF might be checked by MUAs in some
>>> cases.   More than just resolvers associated with MTAs are affected, so
>>> separate resolvers for MTAs, which themselves might become poisoned, does
>>> not represent a good solution.
>>>
>>
>> Sorry - I simply was not aware of SPF checks being invoked by MUAs. I
>> actually find it a bit strange that MUAs would do SPF validations,
>> considering they don't get MAIL FROM, but human ingenuity is endless and I
>> apologize for this ignorance. Doug, can you give me specific examples -
>> preferably of common MUA clients and if possible, of appropriate
>> documentation so I can read about it and/or test it? Tks!
>>
>
> SPF can be found in ClamAV, SpamAssassin, etc. extend filtering of incoming
> email at the desktop for any type of MUA.  There are even Thunderbird
> plugins that specifically provide SPF resolution.
>
>  SPF provides bad actors access to DNS resolvers that might otherwise be
>>> protected by ACLs.  At today's Internet speeds, DNS transactional IDs do not
>>> represent adequate protection.  SPF's use of macros ignores this security
>>> venerability.  Suggesting the use of DNSSEC is not reasonable justification
>>> for ignoring this problem.
>>>
>>
>> I believe my text  already makes this argument except for considering the
>> issue limited to MTAs, MDAs.
>>
>
> A common mistake.
>
>  SPF supports the use of macros to access A, AAAA, PTR and TXT DNS resource
>>> records.  These macros might expand local-parts within the email-message,
>>> which means SPF records may NOT be fully cacheable.  Subsequent record
>>> resolutions can be triggered by the SPF macros, where as may as one hundred
>>> such record resolutions can occur when resolving a single SMTP source
>>> authorization.
>>>
>>
>> But spec says (and even if it didn't, common sense would) that a
>> reasonable limit of resolutions, say 10, should be used. I think I even
>> discussed this, I definitely considered discussing this.
>>
>
> When the goal is to poison DNS, the SPF specifications limit resolution to
> 10 mechanisms, and then the resolution of MX records (one such mechanism) to
> 10. 10 x 10 = 100.  The draft that I wrote long ago demonstrated 100
> transactions using unmodified off-the-shelf SPF libraries.
>
>  These subsequent resolution events can be directed toward both a DNS
>>> resolver under the control of the bad actor to obtain timing and target
>>> information for the remaining tens or hundreds of record resolutions made
>>> against their victim's caching resolvers.  This attack can be renewed by
>>> simply changing local-parts within either the bounce address or the PRA.
>>>  Perhaps both the bounce address and the PRA authorization verifications are
>>> attempted, which would have the effect of doubling the amount of traffic.
>>>
>>
>> This is indeed the attack I've sketched in the paper; do u think more
>> details were needed? Maybe I can simply add citation of some detailed
>> publication on this since I think adding much more details is not reasonable
>> for such a review.
>>
>
> You might want to go through the numbers.  When SPF records are being
> cached, but then expanded upon using macros, the cost to the attacker
> becomes nil, however the impact on their victim can profound.
>
>
> -Doug
>
> _______________________________________________
> Asrg mailing list
> Asrg@irtf.org
> http://www.irtf.org/mailman/listinfo/asrg
>



-- 
Amir Herzberg
Associate Professor, Dept. of Computer Science
Bar Ilan University
http://AmirHerzberg.com

v2.23.0 | Report a Bug | By Email