nanog mailing list archives
Re: Spammers Skirt IP Authentication Attempts
From: Daniel Reed <n () ml org>
Date: Wed, 8 Sep 2004 16:59:14 -0400 (EDT)
On 2004-09-08T15:15-0500, Robert Bonomi wrote: ) Same thing applies for 'simple' forwarding via sendmails '~/.forward' ) mechanism. the mail server 'accepts' the mail from the original source, ) and then 're-sends' to the new destination. That re-send originates as ) the _forwarding_party_, WITH an 'envelope from' of that forwarding party, ) even though the internal content ofthe message may show a _different_, ) and unrelated, "From" address. My experience with Sendmail has been that the envelope sender is retained through /etc/aliases or ~/.forward. I can confirm that qmail's .qmail definitely retains the envelope sender of the original message. MAIL From:<user () example com> RCPT To:<aliasuser () example net> Received: from outgoing.example.com by mail.example.net Received-SPF: pass: outgoing.example.com allowed for example.com MAIL From:<user () example com> RCPT To:<realaddress () example org> Received: from mail.example.net by incoming.example.org Received-SPF: fail: mail.example.net NOT allowed for example.com Mailing lists get away with changing the envelope sender because the original sender does not actually expect to receive DSNs for the message for individual subscribers. Forwarding sites, on the other hand, can not simply modify the envelope sender; DSNs *are* expected to track back to the originating sender through a simple forward. One proposal is to allow forwarding sites to modify the envelope sender in such a way as to encode the original envelope sender in the LHS of an @forwarding.site address. For example: MAIL From:<bounce-user=example.com () example net> RCPT To:<realaddress () example org> Received: from mail.example.net by incoming.example.org Received-SPF: fail: mail.example.net allowed for example.net A naive scheme would allow for open relaying, however. A widely-deployed naive scheme could be used by spammers to send mail to arbitrary addresses: for i in $list; do mail bounce-$(echo $i | sed s/@/=/)@example.net < myspam done At least one anti-spam group has claimed they will list mail servers from forwarding sites that use such an easily-exploited scheme. :( -- Daniel Reed <n () ml org> http://people.redhat.com/djr/ http://naim.n.ml.org/ 1832 Savior214: that sucks that one day your just gonna die and all that work you did learning stuff just gets a rm -rf
Current thread:
- Re: Spammers Skirt IP Authentication Attempts, (continued)
- Re: Spammers Skirt IP Authentication Attempts Suresh Ramasubramanian (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Paul Vixie (Sep 08)
- Very peculiar Telnet probing (possibly spoofed?) Jeff Kell (Sep 08)
- Re: Very peculiar Telnet probing (possibly spoofed?) Suresh Ramasubramanian (Sep 08)
- Re: Very peculiar Telnet probing (possibly spoofed?) Chris Brenton (Sep 09)
- Re: Spammers Skirt IP Authentication Attempts [operational content at end] Rich Kulawiec (Sep 09)
- Re: Spammers Skirt IP Authentication Attempts Daniel Reed (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Stephane Bortzmeyer (Sep 10)
- Re: Spammers Skirt IP Authentication Attempts Joe Rhett (Sep 10)
- Re: Spammers Skirt IP Authentication Attempts Stephane Bortzmeyer (Sep 10)