Re: [spfbis] Review of draft-ietf-spfbis-experiment-05
Douglas Otis <dotis@mail-abuse.org> Mon, 23 April 2012 21:01 UTC
Return-Path: <dotis@mail-abuse.org>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88F8521F8555 for <spfbis@ietfa.amsl.com>; Mon, 23 Apr 2012 14:01:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.491
X-Spam-Level:
X-Spam-Status: No, score=-102.491 tagged_above=-999 required=5 tests=[AWL=0.108, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdaCayhUU3jF for <spfbis@ietfa.amsl.com>; Mon, 23 Apr 2012 14:01:02 -0700 (PDT)
Received: from mailserv.mail-abuse.org (mailserv.mail-abuse.org [150.70.98.118]) by ietfa.amsl.com (Postfix) with ESMTP id DC75B21F853F for <spfbis@ietf.org>; Mon, 23 Apr 2012 14:01:02 -0700 (PDT)
Received: from US-DOUGO-MAC.local (unknown [10.31.37.8]) by mailserv.mail-abuse.org (Postfix) with ESMTPSA id F38AD17403F3 for <spfbis@ietf.org>; Mon, 23 Apr 2012 21:01:01 +0000 (UTC)
Message-ID: <4F95C30D.5070903@mail-abuse.org>
Date: Mon, 23 Apr 2012 14:01:01 -0700
From: Douglas Otis <dotis@mail-abuse.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: spfbis@ietf.org
References: <CAC4RtVAV5PH+VMzppVxAQgGq0f28ARN846e17G_8sbLCThm-KA@mail.gmail.com> <9452079D1A51524AA5749AD23E0039280FED0D@exch-mbx901.corp.cloudmark.com> <CAJ4XoYf2KNLsqzrrM39bWo1Z1Fun1qEiNMYstLf2ZCaaUDSzmA@mail.gmail.com> <9452079D1A51524AA5749AD23E0039280FF5C4@exch-mbx901.corp.cloudmark.com> <CAJ4XoYe1Vkge=2iWrFgzRyZL-XVt-7bhUCf=xJHhvZcR6mGFiA@mail.gmail.com>
In-Reply-To: <CAJ4XoYe1Vkge=2iWrFgzRyZL-XVt-7bhUCf=xJHhvZcR6mGFiA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [spfbis] Review of draft-ietf-spfbis-experiment-05
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/spfbis>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2012 21:01:03 -0000
On 4/23/12 8:13 AM, Dotzero wrote: > On Mon, Apr 23, 2012 at 10:34 AM, Murray S. Kucherawy<msk@cloudmark.com> wrote: >>> -----Original Message----- >>> From: Dotzero [mailto:dotzero@gmail.com] >>> Sent: Monday, April 23, 2012 5:58 AM >>> To: Murray S. Kucherawy >>> Cc: spfbis@ietf.org >>> Subject: Re: [spfbis] Review of draft-ietf-spfbis-experiment-05 >>> >>> It is absolutely incorrect to say that their accuracies are about the >>> same. I can consistently game PRA to get a neutral outcome regardless >>> of what the originating domain publishes in it's record. If there is a >>> Sender field then that is the PRA per the spec. I cannot do the the >>> same for SPF. >> Based on the data collected about actual live mail streams, SPF and Sender ID reach the same pass/fail conclusion about messages at least 80%, and as much as 95%, of the time. Do you have different data? >> >> We're specifically not doing a comparison of the weaknesses of the two. We're only citing empirical data. >> > You stated that their accuracies are comparable. Given the known > weakness of PRA (based on emperical data/testing), that is an > incorrect statement. The whole point of SPF (and presumably SIDF) is > to mitigate abuse. You have not provided complete details about the > dataset you are referring to so it is hard to draw detailed conlusions > regarding key points: > > 1) What percentage of the dataset does not have a Sender field? > 2) For data points where there is a Sender field, what percentage of > those data points have a Sender field that is aligned with the Mail > > From (and conceivably From)? > 3) What percentage of the messages were "abusive"? Would the mail > stream selected be a likely target for the particular type of abuse I > am pointing out? If not, why would you expect to see this particular > type of abuse? > 4) To what extent is the dataset representative of the mail streams > that various types and sizes of receivers might receive? That is, is > the dataset truly representative or are there potential issues with > self selection, etc? Dear Mike, Agreed. Serious security concerns remain. Publishing domain alignments of various message elements might better illustrate these concerns. Both PRA and Mail parameters suffer similar weaknesses as neither are assured to be visible. Unlike the PRA, the Mail parameter establishes the return-path, however SPF records lack any assurance which identity is intended to correspond with outbound server addresses. Instances where PRA accommodates normal SMTP function (without misuse of Resent-* header fields) allows this scheme to be more compliant. This compliance carries added risk as it requires application of similar out-of-band information necessary for making exceptions as those with the Mail parameters, although the Mail parameter offers less selection uncertainty and much less associated overhead. The SPF HELO/EHLO option does not require use of out-of-band information, does not require exceptions, nor is there more than one possible identity within a message exchange. While HELO/EHLO identity is recognized by SPF, SPF lacks a scope list making it clear whether use was intended exclusively for the HELO/EHLO to authenticate outbound servers, or to authorize third-party servers that might carry a domain's messages. Source authentication using HELO/EHLO offers content assurances lacking with either the PRA or Mail parameters. Additionally, only the HELO/EHLO identity is able to ensure messages not directly originating from their servers can be safely rejected, which to prevent spoofing, requires a separately specified From header field alignment requirement. IMHO, the situation faced today would have been better resolved by agreeing to a scope-id list that included MFROM, PRA, and HELO. The PRA and Mail parameter identities are used to guess whether a particular server may have been authorized to issue the message or whether the server is normally not compatible with either scheme. Clearly, this lacks a solid basis for ensuring message interchange. By not holding the outbound server accountable for issuing spoofed messages, users that have had their accounts compromised are less likely to be made aware of this dangerous situation and there is less incentive for ensuring account security. Regards, Douglas Otis
- [spfbis] Review of draft-ietf-spfbis-experiment-05 Barry Leiba
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Barry Leiba
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… John Leslie
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… John Leslie
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Hector Santos
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Dotzero
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Andrew Sullivan
- [spfbis] Moderator note (was: Review of draft-iet… Andrew Sullivan
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Andrew Sullivan
- Re: [spfbis] Moderator note (was: Review of draft… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Moderator note (was: Review of draft… Andrew Sullivan
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Dotzero
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Barry Leiba
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Barry Leiba
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Commerco WebMaster
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Hector Santos
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Douglas Otis
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Hector Santos
- Re: [spfbis] Review of draft-ietf-spfbis-experime… S Moonesamy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Douglas Otis
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Dave Crocker
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Alessandro Vesely
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Scott Kitterman
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Dave Crocker
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Dave Crocker
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy
- Re: [spfbis] Review of draft-ietf-spfbis-experime… Murray S. Kucherawy