IETF Logo Mail Archive

Re: [Asrg] misconception in SPF

Christian Grunfeld <christian.grunfeld@gmail.com> Thu, 06 December 2012 20:15 UTC

Return-Path: <christian.grunfeld@gmail.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9886F21F8A76 for <asrg@ietfa.amsl.com>; Thu, 6 Dec 2012 12:15:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.999
X-Spam-Level:
X-Spam-Status: No, score=-2.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_38=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WR9lLrRgkmQ for <asrg@ietfa.amsl.com>; Thu, 6 Dec 2012 12:15:02 -0800 (PST)
Received: from mail-vc0-f182.google.com (mail-vc0-f182.google.com [209.85.220.182]) by ietfa.amsl.com (Postfix) with ESMTP id B47F021F8A74 for <asrg@irtf.org>; Thu, 6 Dec 2012 12:15:02 -0800 (PST)
Received: by mail-vc0-f182.google.com with SMTP id fo14so8181273vcb.13 for <asrg@irtf.org>; Thu, 06 Dec 2012 12:15:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=sq8w7YCiApxhTG0CduWvvpmrJCPQe279J5zanLp8O3c=; b=W6eUppd4tK6JIF1lm20914T1Ig00eGpiwfljIETA0XQGVhGIDyA84AdtQF2RDsY617 19gVEVjAfslJkYNYdUFmKZatGdJz1WMX26TlIF9jdtFY9EbA14aL4jlt5FfgEIM8ndD/ VMDz/InXqn1twlT1YQsbizoDHE8CTuQefRp0zhCPAvxXQp+WEzeWJXE0qUeo2b0o/5OD wNv7CsyiS0Ayxf1s4Rz4iOWNrndZ+d6j+OtZU0Xqxd4wQ9a14uq+3yoKFT/JjJC3d+/t vOhl9V8DajKp+vjagDT34OgOos4gJkbzrHAodQ6DGMvLiOcfiP6Hx+M2/g1Rur2HpOsb gJYQ==
MIME-Version: 1.0
Received: by 10.52.66.18 with SMTP id b18mr1919704vdt.43.1354824901852; Thu, 06 Dec 2012 12:15:01 -0800 (PST)
Received: by 10.58.235.131 with HTTP; Thu, 6 Dec 2012 12:15:01 -0800 (PST)
In-Reply-To: <CAFduga=bjVh+cLLC5xnLR8b=zv7o-QoJtYBCMevEimiPdep0ZA@mail.gmail.com>
References: <CAFduga=bjVh+cLLC5xnLR8b=zv7o-QoJtYBCMevEimiPdep0ZA@mail.gmail.com>
Date: Thu, 6 Dec 2012 17:15:01 -0300
Message-ID: <CAFduganiaDkf0jFsV7FYcAvi9JjA9G-iTj8XLVzcDNY=jo_m=w@mail.gmail.com>
From: Christian Grunfeld <christian.grunfeld@gmail.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [Asrg] misconception in SPF
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Dec 2012 20:15:03 -0000

here is the proof of concept ! an email sent to John Levine claiming
to be from ygii-john@www.johnlevine.com !!!

Could you please John paste the Received-SPF checks of your mailserver ?


Connected to mail1.iecc.com.
Escape character is '^]'.
220 mail1.iecc.com mailfront ESMTP
EHLO www.johnlevine.com
250-mail1.iecc.com
250-SIZE 0
250-8BITMIME
250-ENHANCEDSTATUSCODES
250 PIPELINING
MAIL FROM: ygii-john@www.johnlevine.com
250 2.1.0 Sender accepted.
RCPT TO: johnl@taugh.com
250 2.1.5 Recipient accepted.
DATA
354 End your message with a period on a line by itself.
From: ygii-john@www.johnlevine.com
To: johnl@taugh.com
Subject: p o c

Hi John, just a proof of concept
.
250 2.6.0 Accepted message qp 34000 bytes 540
quit
221 2.0.0 Good bye.
Connection closed by foreign host.



2012/12/6 Christian Grunfeld <christian.grunfeld@gmail.com>om>:
> Hi,
>
> Something I found about SPF. I don't know if it is new to you but it
> is worth of explanation !
>
> As in all the tutorials of SPF, one stays relaxed when lists hosts/ips
> that are authorized to send for the domain and then finally closes
> with -all. This is true only for that domain but if there are hosts or
> subdomains with A records, they must enforce SPF policies ! (this is
> not explicit in RFC or at least confusing).
>
> A single host or subdomain that don't do it can lead to a sender spoofing attack
> and pose as someone from our domain without the SPF to detect it.
>
> This is because when we receive mail from foo@bar.mydomain the SPF
> protocol seeks TXT records corresponding to bar.mydomain instead of
> TXT record for mydomain. If there is an A record for bar.mydomain but
> no TXT "v=spf1 -all" for it, SPF returns "none" although SPF exists
> for mydomain !
>
> Thus an attacker can inject an email from everywhere claiming that is
> from someone@bar.mydomain !
>
> As the default policy of SPF should not be "fail if not present" the
> solution is to enforce with the records TXT "v = spf1-all" for each A
> record that should not send emails!
> This also can be made by means of wildcards but it is discourage in the RFC.
>
> Cheers

v2.8.7 | Report a Bug | By Email