Re: Sender Spoofing via SMTP

[Tomasz Nidecki <tonid () hakin9 org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Friday, November 4, 2005, 5:28:49 PM, Barrie wrote:

> On Thu, 2005-11-03 at 15:56 +0000, brandon.steili () gmail com wrote:
> > I know this is a common issue that does not seem to be well addressed,

> The issue is well addressed, we all know it's there we all know how it
> can be fixed and we all know it sucks. You can't rip out SMTP in one go
> so you have to work around it, which is where things like SPF, digital
> signing etc.. come in.

Duh... Don't tell me about SPF. What's worst, Microsoft's Sender ID
project is being supported more and more often, more and more
mailservers are setting up SPF protection.

I wonder when people will realize SPF IS BAD AND SHOULD NOT BE USED!

1. The only thing it really protects against is that spammers will not
use your domain for sending mail to protected mailservers. So this is
not protection against RECEIVING SPAM, but a protection against JOE
JOBS AND SUCH. It is also very limited in protecting sender spoofing,
because it just disallows spoofing of selected domains on selected
servers and I don't believe it will ever be accepted and used globally.

2. If a spammer wants to send spam to an SPF protected server, it's as
easy as selecting a domain that:
2.1. either does not have an SPF record at all [most mailservers do
not use the strict policy of denying mail from servers that have no
SPF records, because if they did, they'd filter out 90% of the
Internet...],
2.2. or has an SPF record allowing everyone to send mail from this
given domain [which forwarding domains must do, because SPF breaks
forwarding]
2.3. or is especially set up by the spammers with such a record [duh,
nowadays it's so easy to buy a domain somewhere for five bucks and set
it up with an SPF record...]
Therefore, SPF does NOT protect agains receiving spam. It's too easy
to subvert by the spammers.

3. SPF breaks the idea of mail forwarding completely. Every provider
who offers mail forwarding is helpless, when the receiving end is
SPF-protected, or mail has to be forwarded with a modified envelope
sender address [or even the From: header, if the SPF protection checks
that too].

So PLEASE DO NOT USE SPF. Feel free to publish your own records, just
for the sake of all those servers that still use it, but don't protect
your mailserver using it.

- --
Tomasz Nidecki, Sekr. Redakcji / Managing Editor
hakin9 magazine            http://www.hakin9.org
mailto:tonid () hakin9 org      jid:tonid () tonid net

Do you know what "hacker" means?
http://www.catb.org/~esr/faqs/hacker-howto.html

Czy wiesz, co znaczy slowo "haker"?
http://www.jtz.org.pl/Inne/hacker-howto-pl.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAQ28Ro0R7PdagQ735AQHuxQQArz8zucpZ/rdI2xETgITDnID3Lu3pl7QQ
oHl1qjh+I2RAaUHnos0XKn3I/oSipe6bWj3F/LLKUZifb4y4eoHVQFk0ElEDOJvM
shuasz8BdiDplF699bJA/asIdxvRBIfPubM6F9qtWhrZbKO0/7XCQPBywBOBVDsA
DQGlTC1xoX8=
=ug63
-----END PGP SIGNATURE-----