IETF Logo Mail Archive

Re: Last Call: <draft-jdfalk-maawg-cfblbcp-02.txt> (Complaint Feedback Loop Operational Recommendations) to Informational RFC

Douglas Otis <dotis@mail-abuse.org> Wed, 05 October 2011 23:06 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBBBA21F8511 for <ietf@ietfa.amsl.com>; Wed, 5 Oct 2011 16:06:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.362
X-Spam-Level:
X-Spam-Status: No, score=-103.362 tagged_above=-999 required=5 tests=[AWL=-0.763, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k6Zmz1uVoHNv for <ietf@ietfa.amsl.com>; Wed, 5 Oct 2011 16:06:54 -0700 (PDT)
Received: from SJDC-SDIRelay1.sdi.trendmicro.com (sjdc-sdirelay1.sdi.trendmicro.com [150.70.64.59]) by ietfa.amsl.com (Postfix) with ESMTP id 7455021F84ED for <ietf@ietf.org>; Wed, 5 Oct 2011 16:06:54 -0700 (PDT)
Received: from harry.mail-abuse.org (harry.mail-abuse.org [168.61.5.27]) by SJDC-SDIRelay1.sdi.trendmicro.com (Postfix) with ESMTP id 6329F3B0071; Wed, 5 Oct 2011 23:10:01 +0000 (UTC)
Received: from US-DOUGO-MAC.local (gateway1.sjc.mail-abuse.org [168.61.5.81]) by harry.mail-abuse.org (Postfix) with ESMTP id 545C6A9443B; Wed, 5 Oct 2011 23:10:03 +0000 (UTC)
Message-ID: <4E8CE3C9.8080007@mail-abuse.org>
Date: Wed, 05 Oct 2011 16:10:01 -0700
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Eliot Lear <lear@cisco.com>
Subject: Re: Last Call: <draft-jdfalk-maawg-cfblbcp-02.txt> (Complaint Feedback Loop Operational Recommendations) to Informational RFC
References: <20110922134311.28658.88510.idtracker@ietfa.amsl.com> <6.2.5.6.2.20111003005127.09464a50@resistor.net> <F5833273385BB34F99288B3648C4F06F19C45D9E13@EXCH-C2.corp.cloudmark.com> <CAC4RtVAyyPKjxPqKQKnc5qeFh-88KOT7NL0846gRTMOb9zL0rg@mail.gmail.com> <3266F4FF-761B-4A12-8F68-7F7F8EBC3090@cybernothing.org> <4E8BA37F.9010303@mail-abuse.org> <4E8BFC76.8040706@cisco.com>
In-Reply-To: <4E8BFC76.8040706@cisco.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2011 23:06:55 -0000

On 10/4/11 11:43 PM, Eliot Lear wrote:
> For the record, I tend to dislike pollution of the RFC series with PR
> blurbs as well.  This having been said, I would be far more interested
> in a discussion about the actual substantive content of the document.
>
> Eliot
Eliot,

Thank you for asking.

In addition to PR and copyright issues that forbid modification of the 
draft, there are a few technical issues that also affect the MARF draft 
as well.  The assertion of being DDoS experts does not explain why 
potential DDoS attacks perpetrated by leveraging recipient resources 
necessary for processing SPF scripts had been overlooked.  SPF can be 
exploited to initiate a highly distributed demand against any targeted 
domain unrelated to any domain found within an attacking email campaign.

The assertion that it is difficult to forge a DKIM message overlooks the 
purpose of feedback and what these reports imply.  DKIM does NOT assure 
a domain can be held accountable for any unsolicited message which 
creates some risks to feedback resources.  The domain of the DKIM 
signature may serve as a basis for permitting feedback to the specific 
domain, but should not be used to confirm any unrelated domains.

A more serious problem exists with the use of SPF in permitting 
feedback.  This problem is made more problematic by 
Authentication-Results headers not capturing the IP address used to 
"verify" SPF records, although the MARF report includes a purported 
Source IP address.  There is still no way to determine how this 
purported IP address information had been derived, or how it might 
relate with SPF verification assertions.  An SPF record can be crafted 
to return a pass result unrelated to the originating IP address.  As 
such, SPF can be subverted to gain feedback access with lax validation 
results returned in Authentication-Results headers.  This oversight had 
been officially challenged, but never corrected. :^(

Any domain can resolve any IP address.  The draft's assertion that 
forging the IP address is difficult must be considered in respect to the 
use of SPF in qualifying for feedback.  The source IP address does not 
receive feedback.  The feedback relationship is further undermined with 
consensus on which message element, whether the EHLO, the MailFrom, or 
the PRA selects the SPF resource record.  In addition, feedback is 
likely to occur when SPF assertions fail, so it becomes imperative to 
understand what was used to initially qualify SPF feedback relationships.

In addition, this draft describes use of third-parties located at 
different domains without advising how these entities being given access 
to feedback streams are to be vetted, or whether they should be allowed 
at all.

-Doug

v2.23.0 | Report a Bug | By Email