IETF Logo Mail Archive

Re: [spfbis] Review of draft-ietf-spfbis-experiment-05

Douglas Otis <dotis@mail-abuse.org> Mon, 23 April 2012 21:01 UTC

Return-Path: <dotis@mail-abuse.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88F8521F8555 for <spfbis@ietfa.amsl.com>; Mon, 23 Apr 2012 14:01:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.491
X-Spam-Level:
X-Spam-Status: No, score=-102.491 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdaCayhUU3jF for <spfbis@ietfa.amsl.com>; Mon, 23 Apr 2012 14:01:02 -0700 (PDT)
Received: from mailserv.mail-abuse.org (mailserv.mail-abuse.org [150.70.98.118]) by ietfa.amsl.com (Postfix) with ESMTP id DC75B21F853F for <spfbis@ietf.org>; Mon, 23 Apr 2012 14:01:02 -0700 (PDT)
Received: from US-DOUGO-MAC.local (unknown [10.31.37.8]) by mailserv.mail-abuse.org (Postfix) with ESMTPSA id F38AD17403F3 for <spfbis@ietf.org>; Mon, 23 Apr 2012 21:01:01 +0000 (UTC)
Message-ID: <4F95C30D.5070903@mail-abuse.org>
Date: Mon, 23 Apr 2012 14:01:01 -0700
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: spfbis@ietf.org
References: <CAC4RtVAV5PH+VMzppVxAQgGq0f28ARN846e17G_8sbLCThm-KA@mail.gmail.com> <9452079D1A51524AA5749AD23E0039280FED0D@exch-mbx901.corp.cloudmark.com> <CAJ4XoYf2KNLsqzrrM39bWo1Z1Fun1qEiNMYstLf2ZCaaUDSzmA@mail.gmail.com> <9452079D1A51524AA5749AD23E0039280FF5C4@exch-mbx901.corp.cloudmark.com> <CAJ4XoYe1Vkge=2iWrFgzRyZL-XVt-7bhUCf=xJHhvZcR6mGFiA@mail.gmail.com>
In-Reply-To: <CAJ4XoYe1Vkge=2iWrFgzRyZL-XVt-7bhUCf=xJHhvZcR6mGFiA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] Review of draft-ietf-spfbis-experiment-05
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2012 21:01:03 -0000

On 4/23/12 8:13 AM, Dotzero wrote:
> On Mon, Apr 23, 2012 at 10:34 AM, Murray S. Kucherawy<msk@cloudmark.com>  wrote:
>>> -----Original Message-----
>>> From: Dotzero [mailto:dotzero@gmail.com]
>>> Sent: Monday, April 23, 2012 5:58 AM
>>> To: Murray S. Kucherawy
>>> Cc: spfbis@ietf.org
>>> Subject: Re: [spfbis] Review of draft-ietf-spfbis-experiment-05
>>>
>>> It is absolutely incorrect to say that their accuracies are about the
>>> same. I can consistently game PRA to get a neutral outcome regardless
>>> of what the originating domain publishes in it's record. If there is a
>>> Sender field then that is the PRA per the spec. I cannot do the the
>>> same for SPF.
>> Based on the data collected about actual live mail streams, SPF and Sender ID reach the same pass/fail conclusion about messages at least 80%, and as much as 95%, of the time.  Do you have different data?
>>
>> We're specifically not doing a comparison of the weaknesses of the two.  We're only citing empirical data.
>>
> You stated that their accuracies are comparable. Given the known
> weakness of PRA (based on emperical data/testing), that is an
> incorrect statement. The whole point of SPF (and presumably SIDF) is
> to mitigate abuse. You have not provided complete details about the
> dataset you are referring to so it is hard to draw detailed conlusions
> regarding key points:
>
> 1) What percentage of the dataset does not have a Sender field?
> 2) For data points where there is a Sender field, what percentage of
> those data points have a Sender field that is aligned with the Mail
> > From (and conceivably From)?
> 3) What percentage of the messages were "abusive"? Would the mail
> stream selected be a likely target for the particular type of abuse I
> am pointing out? If not, why would you expect to see this particular
> type of abuse?
> 4) To what extent is the dataset representative of the mail streams
> that various types and sizes of receivers might receive? That is, is
> the dataset truly representative or are there potential issues with
> self selection, etc?
Dear Mike,

Agreed.  Serious security concerns remain.  Publishing domain alignments 
of various message elements might better illustrate these concerns.

Both PRA and Mail parameters suffer similar weaknesses as neither are 
assured to be visible.  Unlike the PRA, the Mail parameter establishes 
the return-path, however SPF records lack any assurance which identity 
is intended to correspond with outbound server addresses.  Instances 
where PRA accommodates normal SMTP function (without misuse of Resent-* 
header fields) allows this scheme to be more compliant.  This compliance 
carries added risk as it requires application of similar out-of-band 
information necessary for making exceptions as those with the Mail 
parameters, although the Mail parameter offers less selection 
uncertainty and much less associated overhead.

The SPF HELO/EHLO option does not require use of out-of-band 
information, does not require exceptions, nor is there more than one 
possible identity within a message exchange.

While HELO/EHLO identity is recognized by SPF, SPF lacks a scope list 
making it clear whether use was intended exclusively for the HELO/EHLO 
to authenticate outbound servers, or to authorize third-party servers 
that might carry a domain's messages.   Source authentication using 
HELO/EHLO offers content assurances lacking with either the PRA or Mail 
parameters.  Additionally, only the HELO/EHLO identity is able to ensure 
messages not directly originating from their servers can be safely 
rejected, which to prevent spoofing,  requires a separately specified 
 From header field alignment requirement.  IMHO, the situation faced 
today would have been better resolved by agreeing to a scope-id list 
that included MFROM, PRA, and HELO.

The PRA and Mail parameter identities are used to guess whether a 
particular server may have been authorized to issue the message or 
whether the server is normally not compatible with either scheme.  
Clearly, this lacks a solid basis for ensuring message interchange.  By 
not holding the outbound server accountable for issuing spoofed 
messages, users that have had their accounts compromised are less likely 
to be made aware of this dangerous situation and there is less incentive 
for ensuring account security.

Regards,
Douglas Otis

v2.23.0 | Report a Bug | By Email