[DShield] SPF is fundamentally flawed

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Tue Feb 17 02:17:53 GMT 2004


List,

http://isc.incidents.org/diary.html?date=2004-02-16
> SPF is an attention getting and growing effort to fight "email address
> forgery and makes it easier to identify spams, worms, and viruses".

Major SPF problems:

(1) Breaks email forwarding
(2) In NO WAY prevents spoofing of the -usually visible- From: header
(3) Does NOT prevent spoofing of the USER in -invisible- Return-Path
(4) Fails completely when Return-Path: <>

Reference: http://spf.pobox.com/gauntlet.png

Explanation:

(1) [Hypothetical example] User Gates at microsoft.com goes sabbatical at
Sun, gets an email address Gates at sun.com and puts up a forward from
Microsoft to Sun. Note: assume that Microsoft doesn't use SPF in any
way, so Mr. Gates is unaware of any potential problems.
Now a Mr. Ellison at oracle.com sends an email to Gates at microsoft.com
(he wants to buy a database or something). Suppose Oracle has set up
SPF records, and Sun checks them upon receipt of email, then
Gates at sun.com will *not* receive Ellison's email.

(Reason: microsoft.com says MAIL FROM: <Ellison at oracle.com> to sun.com;
Sun rejects because domain "oracle.com" in claimed Sender address is
*not* Permitted From microsoft.com's IP address).


(2) All MUA's I know do only show the message header From: address; or
worse, just the "real" user name. Most MUA's (but not all) do have the
possibility to view the "full headers" or the "original message",
including the envelope MAIL FROM address, a.k.a. Return-Path. However
ordinary users think of these headers as overly complicated or simply
don't know what "Return-Path" means. Note that there are valid reasons
for having differences between the Return-Path and header From:
addresses (just check out *this* email).


(3) The only thing SPF verifies is the *domain* part of the Return-Path:
the user/account name is completely ignored, and can still be spoofed.

This means that, even with SPF enabled, spam and viruses can still be
sent as follows:
---------------------------------------------------------------
Return-Path: <AnyThingWillDo at aol.com>
Received: from cicero0.cybercity.dk (cicero0.cybercity.dk [212.242.40.52])
  by user1.cybercity.dk (Postfix) with ESMTP id ECC2874FEFC
  for <dsl51479 at vip.cybercity.dk>; Tue, 17 Feb 2004 00:11:29 +0100 (CET)
Received: from gleneagles.com.sg (ACB1C835.ipt.aol.com [172.177.200.53])
  by cicero0.cybercity.dk (Postfix) with SMTP id 9EAC729093
  for <dsl51479 at vip.cybercity.dk>; Tue, 17 Feb 2004 00:11:21 +0100 (CET)
Message-ID: <478d01c3f54e$06232ab5$f811fdbf at gleneagles.com.sg>
From: "Billie E. Story" <bestoryyg at dutndo7.tn.tudelft.nl>
To: dsl51479 at vip.cybercity.dk
Subject: better than víagra
Date: Tue, 17 Feb 2004 08:06:25 -0400
---------------------------------------------------------------

Note: my MTA has received a bounce that included above headers as an
attachment, with "Content-Type: message/rfc822". However, a Return-path
was actually NOT present (Postfix removes it from bounces, I'm not
sure why). I simply added the "Return-Path" above, the rest of these
headers are unchanged. Anyway, the actual MAIL FROM must have been:
<bestoryyg at dutndo7.tn.tudelft.nl> because cicero1.cybercity.dk bounced
it to that address (dutndo7.tn.tudelft.nl exists, but "bestoryyg" does
not; it was spoofed by the spammers. So they could have used
<AnyThingWillDo at aol.com> just as well). Also note: the originator IP
172.177.200.53 is currently listed by spamcop.net (this is not fake).


(4) With "envelope MAIL FROM: <>" SPF will revert to checking the
hostname given in the HELO command. This is a string that has been, and
still is, spoofed by countless sites (also see the spam above, and btw,
some MTA's even say "EHLO localhost.localdomain" regardless of IP).

SPF is NOT going to block malware emails like the following example:
---------------------------------------------------------------
Return-Path: <>
Received: from rly-xj02.mx.aol.com (ACB1C835.ipt.aol.com [172.177.200.53])
  by smtp.yoursite.tld (YourMTA) with SMTP id 1234567890
  for <you at yoursite.tld>; Tue, 17 Feb 2004 01:23:45 +0100 (CET)
From: "Mail Delivery Subsystem" <MAILER-DAEMON at yoursite.tld>
To: "Your Full Name" <you at yoursite.tld>
Subject: Undeliverable Mail

Unfortunately, it was not possible to deliver one or more of your messages.
For more information, please, take a look in the attachment.
---------------------------------------------------------------
Note: I submitted something *very* similar to Sophos in Nov. 2002:
http://www.sophos.com/virusinfo/analyses/trojpeidoa.html


SPF will work, until spammers and virus writers have adapted (which is
what they do all the time). IMO we're wasting our time and destroying
email forwarding. Correct me if I'm wrong!

Regards,
Erik van Straten
Delft University of Technology
The Netherlands




More information about the list mailing list