IETF Logo Mail Archive

Re: [spfbis] Local macros strike again, was Suggestion...

Douglas Otis <dotis@mail-abuse.org> Sat, 14 January 2012 14:27 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69BEC21F85F6 for <spfbis@ietfa.amsl.com>; Sat, 14 Jan 2012 06:27:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.168
X-Spam-Level:
X-Spam-Status: No, score=-102.168 tagged_above=-999 required=5 tests=[AWL=0.431, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9pZdcHe4tqa for <spfbis@ietfa.amsl.com>; Sat, 14 Jan 2012 06:27:09 -0800 (PST)
Received: from mailserv.mail-abuse.org (mailserv.mail-abuse.org [150.70.98.118]) by ietfa.amsl.com (Postfix) with ESMTP id B53F421F85E6 for <spfbis@ietf.org>; Sat, 14 Jan 2012 06:27:09 -0800 (PST)
Received: from US-DOUGO-MAC.local (sjdcluxgateway1.sdi.trendnet.org [10.31.37.8]) by mailserv.mail-abuse.org (Postfix) with ESMTPSA id 32D0F17400FC for <spfbis@ietf.org>; Sat, 14 Jan 2012 14:27:08 +0000 (UTC)
Message-ID: <4F1190BB.9080202@mail-abuse.org>
Date: Sat, 14 Jan 2012 06:27:07 -0800
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: spfbis@ietf.org
References: <F5833273385BB34F99288B3648C4F06F19C6C15673@EXCH-C2.corp.cloudmark.com> <4EF8F336.8080508@gathman.org> <F5833273385BB34F99288B3648C4F06F19C6C1569C@EXCH-C2.corp.cloudmark.com> <1590867.1quv5UxKKV@scott-latitude-e6320> <4EFCB88A.1080104@mail-abuse.org> <4EFE6F39.90000@isdg.net> <4F0358CC.6030505@mail-abuse.org> <4F03775B.4050905@isdg.net> <4F04E292.9030502@mail-abuse.org> <4F04FB1C.7070302@isdg.net> <4F060E74.2070103@cisco.com> <4F063F09.3030900@isdg.net> <4F06884D.2070509@mail-abuse.org> <4F082861.5080803@tana.it> <4F09269C.6090402@isdg.net> <4F0B0035.3050106@cisco.com> <4F0C9777.1090904@mail-abuse.org> <4F0C9E61.1010306@cisco.com> <4F0DD063.5090103@tana.it> <4F0E0A7E.1040905@isdg.net> <Pine.GSO.4.62.1201111726390.13909@spaz.oit.wmich.edu> <4F10BEED.7050207@mail-abuse.org> <4F10DD94.8040905@isdg.net>
In-Reply-To: <4F10DD94.8040905@isdg.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] Local macros strike again, was Suggestion...
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Jan 2012 14:27:10 -0000

On 1/13/12 5:42 PM, Hector Santos wrote:
>  Douglas Otis wrote:
> > Dear Hector,
> >
> > This was simply explaining the impact caused by a change Wayne
> > Schlitt made to host name limits in his SPF library. He restricted
> > the number of host names resolved to 5. This caused a problem for
> > t-online.de who never published SPF records but were subjected to
> > "default" SPF records such as "a mx/24" and that had 8 hosts in
> > their MX RRset, for example. :^(
>
>  Doug,
>
>  Since I'm not familiar with the idea of a "default" SPF record, I
>  don't quite understand why a receiver would applied a "SPF default"
>  to a domain that did make any SPF explicit declaration. Why would you
>  not expect to see problems with this? If this part of the
>  specification?

Dear Hector,

AFAIK, t-online.de never published SPF records.  Some implementers 
leveraged SPF built-in functions to make "best guesses" about domains 
lacking SPF records.  This tactic is found in many SPF implementations 
as it will be for years.  When a guess by thousands of recipient 
libraries fail to provide consistent results, as it was for t-online.de, 
users believed the fault was with t-online.de, not realizing the actions 
of SPF foo.  As a result, this created a "defacto" rule for those not 
publishing SPF records, "Do not publish more than 5 hosts in your MX RRset."

>  That said, what we have (in our package) is a macro-based filtering
>  language that includes a macro called DIP for DOMAIN::IP association.
>  Its a lightweight LMAP rule that sysops can add to their filters.
>  We recommend to add them for KNOWN transactions that do not have SPF
>  records and only do so if its clear to them that a DIP would
>  accurately apply. These are the DIP rules I have added over the
>  years for our SMTP server:

The concern is not with sysops using macros, although authenticated 
sources will provide better consistency and security.

The concern is that SPF allows _any_ domain to run SPF macros leveraging 
the powerful resources of recipient's email service providers.  Use of 
local-part macros means SPF results are NOT cache-able and always 
require repeated macro execution.  This is true even for cached SPF 
records!  Whether it is 10 or 100 transactions per message that might be 
generated, these transactions represent a FREE attack for any malefactor.

These additional transactions are unlikely noticed or logged by email 
service providers.  Their trigger is any email message that forwarded 
the malefactor's Mail From parameter as required by SMTP.  When a 
malefactor's SPF record targets some victim domain, messages sent to 
thousands of different domains will trigger their Distributed Denial of 
Service attack with a high level of amplification.  An attack where 
victims never see the messages, and where those reflecting the attack 
will likely remain unaware of their role.  None of the messages or SPF 
records need to contain the victim's domain since even this can be 
synthesized by SPF macros.

Virtually all other services authenticate with a brief exchange 
cryptographically verified within a few transactions that:
  1) factors are cache-able  (spf + local-part macros NOT cache-able)
  2) results are cache-able  (spf + local-part macros NOT cache-able)
  3) minimal demand on recipients (NOT cache-able and 100+ transactions/msg)

After the high resource expenditure, the email provider reflecting their 
resources remains an enigma, and only their IP address have been 
authorized.  The domain involved could be one of the 100K new seen daily.

>  Again these "default", SPF-like rules SHOULD only applied where there
>  is precise knowledge. I can't envision a general "SPF Default" rule
>  applicable to all non-SPF domains. Is there such a thing?

Unfortunately, many consider making a guess is okay.  All of this risk, 
guesswork, and wasteful use of resources disappears with the use of 
normal server authentication.  Email service providers need to 
AUTHENTICATE to protect users, their reputations, and to function 
properly with IPv6.

Regards,
Doug Otis

v2.23.0 | Report a Bug | By Email