[BBLISA] Someone is out to get me - spam pretending to be from me

Dean Anderson dean at av8.com
Mon Jan 17 20:43:15 EST 2005


On Fri, 14 Jan 2005, Theo Van Dinter wrote:

> On Fri, Jan 14, 2005 at 10:46:08PM -0500, Dean Anderson wrote:
> > Unless everyone uses SPF, you cannot reject based on SPF. SPF rejection 
> > creates blockback abuse problems.
> 
> Sure you can.  If the domain has records published, and a fail occurs, you can
> reject.  You can't reject if there is no record published though.

Right.  And of course NXDOMAIN can be forged fairly easily.

However, if you do reject, then one can simply create blowback by sending 
email to an SPF rejecting domain and setting the target address to be the 
from address. The (closed) relay will now generate a bounce to the real 
target. This will be from the relay itself, and will not be blocked.  This 
is rather analogous to SYN flood attacks with the "src" address of the 
upstream router. You can't reject TCP from the upstream, since BGP uses 
TCP.

> > If you lower your spam checks because of SPF, you will attract spam (and
> > spammers) to your internet service. This is why spammers are so excited 
> > about SPF.
> 
> That's why it's an anti-spoofing technique, not an anti-spam technique.  If
> people are using it for anti-spam, then they've obviously not read anything
> about how it works.

You are the first person to say its not an anti-spam technique. 
Congratulations. I spent many months on the MARID list, and the DNSOP and 
DNSEXT lists debunking its "anti-spam" claims.  Its rather refreshing to 
hear someone say that, after hearing people claim SPF is going to end 
spam.

However, it fails as an "anti-spoofing" technique as well.

> > BTW, DNS spoofing requires about 32000 packets, and is quite a bit easier
> > than say, WEP decryption. 
> 
> It's possible, but since the attack would be per recipient DNS server,
> spammers are very unlikely to do anything with this.
> 
> Even if they did though, it just means the mail gets through one level of
> protection.

No, its per domain server. Once you spoof the SPF record in say, hotmail's
DNS servers for a given domain, then you are "good to go" for the life of
the TTL or until they restart that server (by "good to go" I mean you can
either send spam, or DOS the targeted domain).

Note that DNS spoofing is even more trivial if you have a suite of several
hundred or more virus infected machines that can send out DNS packets to
target servers.  Best estimates consider spam abusers to have such
resources.  "Foot, stand still whilst I get a good aim"

SPF really is written for benefit of abusers. It _only_ helps abusers.  
Spammers were the first to adopt SPF.

> > SPF is patented by M$.  
> 
> BS.  PRA is patented by M$, SPF != PRA.

Some say the Sender-ID proposal makes them the same.  However, I haven't
seen the patent applications, so I can't say how much of SPF is covered.  
Nor does it appear that PRA is the only subject of a patent.  The M$
disclosure used the plural, as I recall. But I don't have the disclosure
at hand.  

		--Dean


-- 
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000   





More information about the bblisa mailing list