Re: [Asrg] misconception in SPF

Christian Grunfeld <christian.grunfeld@gmail.com> Sun, 09 December 2012 23:39 UTC

Return-Path: <christian.grunfeld@gmail.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A998C21F846B for <asrg@ietfa.amsl.com>; Sun, 9 Dec 2012 15:39:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.307
X-Spam-Level:
X-Spam-Status: No, score=-3.307 tagged_above=-999 required=5 tests=[AWL=0.292, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rCWy7Ui2sDiE for <asrg@ietfa.amsl.com>; Sun, 9 Dec 2012 15:39:08 -0800 (PST)
Received: from mail-ia0-f182.google.com (mail-ia0-f182.google.com [209.85.210.182]) by ietfa.amsl.com (Postfix) with ESMTP id 2DC8321F8681 for <asrg@irtf.org>; Sun, 9 Dec 2012 15:39:08 -0800 (PST)
Received: by mail-ia0-f182.google.com with SMTP id x2so3994933iad.13 for <asrg@irtf.org>; Sun, 09 Dec 2012 15:39:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=8Mm9beYAhjcIc0npF248jAxKdznCBOoZttKomhjVvKs=; b=w7TKCvlKgSmez4asEkG8swhVQVVm946f1sAP38+/gMww1z00yLkBJEGhTxY3UX4IPb tN1fwaMTk1+yau+EAypVP6X3flMap5LlaBz8EG23rRYodV+2lykCgO92rwuNCSDy8li7 ewkyWHZtnWd/meX8U1CpbLPWx731jKBjn4Pv7S1pVpisuRIE6qThYMQHK4S+ZsY4ZcA+ Jjgs7SFb43WopqVSkC7DmmX+4ygX/3pUSL4FRj0+tLwLgRelbfiOp2884aUWINrWcAOU OmfhaHZNDMK8pZeh7Oppge687S7sgG0542HI8JbM/xIugjxL8IYFNi7HJGOwzW0TQU6D H3zg==
MIME-Version: 1.0
Received: by 10.50.40.225 with SMTP id a1mr5083327igl.7.1355096347614; Sun, 09 Dec 2012 15:39:07 -0800 (PST)
Received: by 10.231.65.79 with HTTP; Sun, 9 Dec 2012 15:39:07 -0800 (PST)
In-Reply-To: <20121209213307.D90C12429B@panix5.panix.com>
References: <20121206212116.10328.qmail@joyce.lan> <50C1A95A.5000001@pscs.co.uk> <50C4A7F8.3010201@dcrocker.net> <CAFdugamTbTirVV2zXKOmc9oTaCS+QiTemhT=jvYJnHYscHQK7g@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACE6D0@ABN-EXCH1A.green.sophos> <20121209213307.D90C12429B@panix5.panix.com>
Date: Sun, 09 Dec 2012 20:39:07 -0300
Message-ID: <CAFduganBR_E-ui-3Xbic6F7qSmg1-Q+ideXLvb+1isLz8OF0Nw@mail.gmail.com>
From: Christian Grunfeld <christian.grunfeld@gmail.com>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Asrg] misconception in SPF
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Dec 2012 23:39:08 -0000

> There is no way for the owner of the overlying domain (who also owns
> the subdomain) to force such email to FAIL.  There should be a way to
> specify "all valid email from this domain and subdomains comes only
> from this set of IPs and no others" and SPF fails to provide one.
> That's a weakness in the structure of SPF which ought to be fixed.

there is ! you have to publish your sending IPs and also your not
sending IPs/hosts/subdomains.


> I'm with Martijn.  Other than the test message you sent the other day,
> I don't think I have ever seen a phish that used a subdomain of the
> target.  Ever.

...so the "vulneravility" exists ! may be spammers don't know it yet !
don't you believe that a phish with these characteristics could be
worse than other?

At my institution I have told my users to check mail headers whenever
possible. They are physicists ... the ones who invented the www time
ago, so they have some skill level to do it. I always told them: do
not believe in what you see in the From: also check the envelope and
any hop in between ! ....but what will I say them when they´ll see
mails "comming" from a subdomain of the real domain that the mail
claims to be from and no checks failed?
I personally think this kind of phishing worse than common ones!

For the ones that said we are treating SPF as the FUSSP or the best
solution...the answer is no ! I use SMTP level client checks, helo
checks, sender checks, recipient checks, rate limits, SPF, DKIM,
greylists, spamassassin, etc. SPF is only one of which we are
discussing now a misconception, misunderstanding or what you prefer.
We can also disscuss about any of the other methods.