Re: [spfbis] Local macros strike again, was Suggestion...
Douglas Otis <dotis@mail-abuse.org> Sat, 14 January 2012 14:27 UTC
Return-Path: <dotis@mail-abuse.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69BEC21F85F6 for <spfbis@ietfa.amsl.com>; Sat, 14 Jan 2012 06:27:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.168
X-Spam-Level:
X-Spam-Status: No, score=-102.168 tagged_above=-999 required=5 tests=[AWL=0.431, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9pZdcHe4tqa for <spfbis@ietfa.amsl.com>; Sat, 14 Jan 2012 06:27:09 -0800 (PST)
Received: from mailserv.mail-abuse.org (mailserv.mail-abuse.org [150.70.98.118]) by ietfa.amsl.com (Postfix) with ESMTP id B53F421F85E6 for <spfbis@ietf.org>; Sat, 14 Jan 2012 06:27:09 -0800 (PST)
Received: from US-DOUGO-MAC.local (sjdcluxgateway1.sdi.trendnet.org [10.31.37.8]) by mailserv.mail-abuse.org (Postfix) with ESMTPSA id 32D0F17400FC for <spfbis@ietf.org>; Sat, 14 Jan 2012 14:27:08 +0000 (UTC)
Message-ID: <4F1190BB.9080202@mail-abuse.org>
Date: Sat, 14 Jan 2012 06:27:07 -0800
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: spfbis@ietf.org
References: <F5833273385BB34F99288B3648C4F06F19C6C15673@EXCH-C2.corp.cloudmark.com> <4EF8F336.8080508@gathman.org> <F5833273385BB34F99288B3648C4F06F19C6C1569C@EXCH-C2.corp.cloudmark.com> <1590867.1quv5UxKKV@scott-latitude-e6320> <4EFCB88A.1080104@mail-abuse.org> <4EFE6F39.90000@isdg.net> <4F0358CC.6030505@mail-abuse.org> <4F03775B.4050905@isdg.net> <4F04E292.9030502@mail-abuse.org> <4F04FB1C.7070302@isdg.net> <4F060E74.2070103@cisco.com> <4F063F09.3030900@isdg.net> <4F06884D.2070509@mail-abuse.org> <4F082861.5080803@tana.it> <4F09269C.6090402@isdg.net> <4F0B0035.3050106@cisco.com> <4F0C9777.1090904@mail-abuse.org> <4F0C9E61.1010306@cisco.com> <4F0DD063.5090103@tana.it> <4F0E0A7E.1040905@isdg.net> <Pine.GSO.4.62.1201111726390.13909@spaz.oit.wmich.edu> <4F10BEED.7050207@mail-abuse.org> <4F10DD94.8040905@isdg.net>
In-Reply-To: <4F10DD94.8040905@isdg.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] Local macros strike again, was Suggestion...
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2012 14:27:10 -0000
On 1/13/12 5:42 PM, Hector Santos wrote: > Douglas Otis wrote: > > Dear Hector, > > > > This was simply explaining the impact caused by a change Wayne > > Schlitt made to host name limits in his SPF library. He restricted > > the number of host names resolved to 5. This caused a problem for > > t-online.de who never published SPF records but were subjected to > > "default" SPF records such as "a mx/24" and that had 8 hosts in > > their MX RRset, for example. :^( > > Doug, > > Since I'm not familiar with the idea of a "default" SPF record, I > don't quite understand why a receiver would applied a "SPF default" > to a domain that did make any SPF explicit declaration. Why would you > not expect to see problems with this? If this part of the > specification? Dear Hector, AFAIK, t-online.de never published SPF records. Some implementers leveraged SPF built-in functions to make "best guesses" about domains lacking SPF records. This tactic is found in many SPF implementations as it will be for years. When a guess by thousands of recipient libraries fail to provide consistent results, as it was for t-online.de, users believed the fault was with t-online.de, not realizing the actions of SPF foo. As a result, this created a "defacto" rule for those not publishing SPF records, "Do not publish more than 5 hosts in your MX RRset." > That said, what we have (in our package) is a macro-based filtering > language that includes a macro called DIP for DOMAIN::IP association. > Its a lightweight LMAP rule that sysops can add to their filters. > We recommend to add them for KNOWN transactions that do not have SPF > records and only do so if its clear to them that a DIP would > accurately apply. These are the DIP rules I have added over the > years for our SMTP server: The concern is not with sysops using macros, although authenticated sources will provide better consistency and security. The concern is that SPF allows _any_ domain to run SPF macros leveraging the powerful resources of recipient's email service providers. Use of local-part macros means SPF results are NOT cache-able and always require repeated macro execution. This is true even for cached SPF records! Whether it is 10 or 100 transactions per message that might be generated, these transactions represent a FREE attack for any malefactor. These additional transactions are unlikely noticed or logged by email service providers. Their trigger is any email message that forwarded the malefactor's Mail From parameter as required by SMTP. When a malefactor's SPF record targets some victim domain, messages sent to thousands of different domains will trigger their Distributed Denial of Service attack with a high level of amplification. An attack where victims never see the messages, and where those reflecting the attack will likely remain unaware of their role. None of the messages or SPF records need to contain the victim's domain since even this can be synthesized by SPF macros. Virtually all other services authenticate with a brief exchange cryptographically verified within a few transactions that: 1) factors are cache-able (spf + local-part macros NOT cache-able) 2) results are cache-able (spf + local-part macros NOT cache-able) 3) minimal demand on recipients (NOT cache-able and 100+ transactions/msg) After the high resource expenditure, the email provider reflecting their resources remains an enigma, and only their IP address have been authorized. The domain involved could be one of the 100K new seen daily. > Again these "default", SPF-like rules SHOULD only applied where there > is precise knowledge. I can't envision a general "SPF Default" rule > applicable to all non-SPF domains. Is there such a thing? Unfortunately, many consider making a guess is okay. All of this risk, guesswork, and wasteful use of resources disappears with the use of normal server authentication. Email service providers need to AUTHENTICATE to protect users, their reputations, and to function properly with IPv6. Regards, Doug Otis
- [spfbis] Suggestion for an additional deliverable Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Dave CROCKER
- Re: [spfbis] Suggestion for an additional deliver… SM
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Commerco WebMaster
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Dotzero
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Dave CROCKER
- [spfbis] Augmenting SPF with additional Email tec… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Stuart Gathman
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Murray S. Kucherawy
- Re: [spfbis] Suggestion for an additional deliver… Scott Kitterman
- [spfbis] A-R vs SPF-R, was Suggestion for an addi… Alessandro Vesely
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Scott Kitterman
- Re: [spfbis] Suggestion for an additional deliver… Philip Gladstone
- Re: [spfbis] Suggestion for an additional deliver… Stuart D Gathman
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- Re: [spfbis] Suggestion for an additional deliver… Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Douglas Otis
- [spfbis] HardFail Marking vs HardFail Rejects Hector Santos
- Re: [spfbis] Suggestion for an additional deliver… Alessandro Vesely
- [spfbis] Local macros strike again, was Suggestio… Alessandro Vesely
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Douglas Otis
- Re: [spfbis] Local macros strike again, was Sugge… Scott Kitterman
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Alessandro Vesely
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Derek Diget
- Re: [spfbis] Local macros strike again, was Sugge… Murray S. Kucherawy
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- Re: [spfbis] Section 10.1 Processing Limits Derek Diget
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- Re: [spfbis] Section 10.1 Processing Limits Murray S. Kucherawy
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Scott Kitterman
- [spfbis] SPF metrics, was Limits Alessandro Vesely
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Section 10.1 Processing Limits Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Douglas Otis
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Douglas Otis
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Scott Kitterman
- Re: [spfbis] Local macros strike again, was Sugge… Murray S. Kucherawy
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Hector Santos
- Re: [spfbis] Local macros strike again, was Sugge… Philip Gladstone
- Re: [spfbis] Local macros strike again, was Sugge… Commerco WebMaster