IETF Logo Mail Archive

Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review

John Leslie <john@jlc.net> Mon, 25 May 2009 17:10 UTC

Return-Path: <john@jlc.net>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 719D83A6FA5 for <asrg@core3.amsl.com>; Mon, 25 May 2009 10:10:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.838
X-Spam-Level:
X-Spam-Status: No, score=-5.838 tagged_above=-999 required=5 tests=[AWL=0.511, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, URIBL_GREY=0.25]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ox6T6-QOxxVh for <asrg@core3.amsl.com>; Mon, 25 May 2009 10:10:37 -0700 (PDT)
Received: from mailhost.jlc.net (mailhost.jlc.net [199.201.159.9]) by core3.amsl.com (Postfix) with ESMTP id A2A423A6DA8 for <asrg@irtf.org>; Mon, 25 May 2009 10:10:37 -0700 (PDT)
Received: by mailhost.jlc.net (Postfix, from userid 104) id A511733C36; Mon, 25 May 2009 13:12:13 -0400 (EDT)
Date: Mon, 25 May 2009 13:12:13 -0400
From: John Leslie <john@jlc.net>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20090525171213.GC20941@verdi>
References: <003d01c9dd01$bf3531d0$800c6f0a@china.huawei.com> <4A1A45BA.5030704@swin.edu.au> <3be421270905250718y5d62f6d5odb6f2bebecf418d0@mail.gmail.com> <6684E747-55CB-4BB3-B838-9F4FE906AFE7@mail-abuse.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <6684E747-55CB-4BB3-B838-9F4FE906AFE7@mail-abuse.org>
User-Agent: Mutt/1.4.1i
Subject: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 May 2009 17:10:38 -0000

Douglas Otis <dotis@mail-abuse.org> wrote:
> 
> http://amir.herzberg.googlepages.com/somerecentpapers
> 
> This paper refers to DNS poisoning without fully exploring how SPF  
> might be used to enable DNS poisoning.

   Doug perhaps asks too much... But the paper does explain a particular
exploit, where SPF records are used to cause particular DNS queries at
"known" times, to which forged responses can be spoofed, potentially
greatly increasing the risk of DNS poisoning.

   Discussion of that particular exploit does seem in scope.

   The paper is somewhat disappointing in only mentioning "rate limiting"
and "dedicated DNS proxy" as countermeasures, without any particulars.

   Is there any interest in fleshing out these countermeasures?

> SPF supports the use of macros to access A, AAAA, PTR and TXT DNS  
> resource records.  These macros might expand local-parts within the  
> email-message, which means SPF records may NOT be fully cacheable.   
> Subsequent record resolutions can be triggered by the SPF macros,  
> where as may as one hundred such record resolutions can occur when  
> resolving a single SMTP source authorization.

   This sounds like the sort of issue where a "dedicated DNS proxy"
for SPF queries could apply rate-limiting to good advantage. Of
course, it would end up deliviering "less" than SPF proponents have
been claiming as SPF's "advantages;" but I suspect Doug is not alone
in considering such a "feature" as beneficial.

   ;^)

--
John Leslie <john@jlc.net>

v2.23.0 | Report a Bug | By Email