[DShield] SPF is fundamentally flawed

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Wed Feb 18 14:53:24 GMT 2004


Brian,

Thanks for your response!

On Tue, 17 Feb 2004 12:08:57 -0800 Brian Dessent wrote:
> Erik van Straten wrote:
> 
> > (3) The only thing SPF verifies is the *domain* part of the Return-Path:
> > the user/account name is completely ignored, and can still be spoofed.
> > 
> > This means that, even with SPF enabled, spam and viruses can still be
> > sent as follows:
> > ---------------------------------------------------------------
> > Return-Path: <AnyThingWillDo at aol.com>
> 
> Why do you say that?  Unless the spammer is injecting the mail from a
> machine in AOL's datacenter, then your system will look up the TXT
> record for aol.com in the above scenario and see that this machine is
> not allowed to send for AOL and deny with a 5xx.

As shown below, some AOL addresses are apparently permitted to BYPASS
AOL's SMTP proxies. Regardless, like any major ISP, AOL has *customers*
whose PC's are compromised. They *do* send spam (and probably viruses)
to anyone in the world. AOL's proxy may block some of them, but
definitely not all (my MTA is receiving their junk-bounces because my
site is being Joe-jobbed by spammers). My guess is that AOL is hardly
doing any egress spamfiltering, if at all (for obvious reasons).

What I was trying to say: if a spammer (or virus) hijacks *any* AOL 
customer PC, they can transmit their junk as follows:

  HELO whatever
  MAIL FROM: <NobodyCares at aol.com>
  From: "Captain James T. Kirk" <J.T.Kirk at enterprise.2345.nasa.gov>
  To: "Brian Dessent" <brian at dessent.net>

SPF will *not* prevent this because Sender <NobodyCares at aol.com> is
Permitted From any AOL customer IP address.

> Now, the spammer could pick a domain that -doesn't- publish SPF records
> for the envelope-from, and the mail would get through, yes.

Also correct. However, AOL's proxy could block those. Regardless, even
if every imaginable site sets up SPF DNS records, spam and virus-emails
can still originate from those domains. All spammers and viruses have
to do is make sure that the domain in the envelope MAIL FROM is the
same as from the PC's hostname.

Please find two examples of probably compromised AOL PC's below (two
different cases, eventually bounces were sent to my site). Note that SPF
*could* have blocked these emails if I would have set up SPF records for
my domain (provided that seanet.com and address.com would query them).
However, the second example shows that AOL -erroneously- "bounces" a
spam to my site because it was not accepted by address.com (which could
have very well been because of SPF records) ==> AOL's setup is flawed.

Note that it is VERY unfortunate for *me* that SPF has so many major
drawbacks. In particular those sites that are being Joe-jobbed (like my
site) would benefit from setting up SPF DNS records: I would be getting
fewer bounces (December 2003: 160000 - provided that spam-recipient-MTAs
would query SPF records and reject if Sender is not Permitted From).

I wish it would work.

Regards,
Erik van Straten


========================= example message #1 ==========================

Details:
- 172.181.149.106 is either compromised or the owner is a spammer
- for some reason it is permitted to bypass AOL's proxies
- listed: http://www.spamcop.net/w3m?action=checkblock&ip=172.181.149.106
- spam *claims* to originate from: <alycestokesss at cpo.tn.tudelft.nl>
- directly sends spam to: ledok.seanet.com (nslookup: 199.181.164.67)
- intended spam-recipient: <kcbacon at seanet.com> does not exist
- cmail.seanet.com "returns" spam to <alycestokesss at cpo.tn.tudelft.nl>
- cpo.tn.tudelft.nl: user "alycestokesss" is unknown
- cpo.tn.tudelft.nl appends this shit as evidence to a file
- I just extracted it

-----------------------------
Return-Path: <>
Received: from mailhost3.tudelft.nl (mailhost3.tudelft.nl [130.161.180.14])
        by cpo.tn.tudelft.nl (Postfix) with ESMTP id B75EA97B48
        for <alycestokesss at cpo.tn.tudelft.nl>; Wed, 18 Feb 2004 14:01:57 +0100 (CET)
Received: from 127.0.0.1 (localhost [127.0.0.1])
        by rav.antivirus (Postfix) with SMTP id B8E52113A
        for <alycestokesss at cpo.tn.tudelft.nl>; Wed, 18 Feb 2004 14:01:57 +0100 (MET)
Received: from cmail.seanet.com (cmail.seanet.com [199.181.164.17])
        by mailhost3.tudelft.nl (Postfix) with ESMTP id 21716FF3
        for <alycestokesss at cpo.tn.tudelft.nl>; Wed, 18 Feb 2004 14:01:57 +0100 (MET)
Received: from localhost (localhost)
        by ledok.seanet.com (8.12.10/8.12.10) id i1ID1kmg004129;
        Wed, 18 Feb 2004 05:01:46 -0800 (PST)
Date: Wed, 18 Feb 2004 05:01:46 -0800 (PST)
From: Mail Delivery Subsystem <MAILER-DAEMON at ledok.seanet.com>
Message-Id: <200402181301.i1ID1kmg004129 at ledok.seanet.com>
To: <alycestokesss at cpo.tn.tudelft.nl>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="i1ID1kmg004129.1077109306/ledok.seanet.com"
Subject: Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)
Content-Transfer-Encoding: 7bit

This is a MIME-encapsulated message

--i1ID1kmg004129.1077109306/ledok.seanet.com

The original message was received at Wed, 18 Feb 2004 05:01:41 -0800 (PST)
from ACB5956A.ipt.aol.com [172.181.149.106]

   ----- The following addresses had permanent fatal errors -----
<kcbacon at seanet.com>
    (reason: 550 5.1.1 <kcbacon at seanet.com> is not a valid mailbox. 550 5.1.1 <kcbacon at seanet.com>... User unknown)

   ----- Transcript of session follows -----
... while talking to ingoio.seanet.com.:
>>> RCPT To:<kcbacon at seanet.com>
<<< 550 5.1.1 <kcbacon at seanet.com> is not a valid mailbox. 550 5.1.1 <kcbacon at seanet.com>... User unknown
550 5.1.1 <kcbacon at seanet.com>... User unknown

--i1ID1kmg004129.1077109306/ledok.seanet.com
Content-Type: message/delivery-status

Reporting-MTA: dns; ledok.seanet.com
Received-From-MTA: DNS; ACB5956A.ipt.aol.com
Arrival-Date: Wed, 18 Feb 2004 05:01:41 -0800 (PST)

Final-Recipient: RFC822; kcbacon at seanet.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; ingoio.seanet.com
Diagnostic-Code: SMTP; 550 5.1.1 <kcbacon at seanet.com> is not a valid mailbox. 550 5.1.1 <kcbacon at seanet.com>... User unknown
Last-Attempt-Date: Wed, 18 Feb 2004 05:01:46 -0800 (PST)

--i1ID1kmg004129.1077109306/ledok.seanet.com
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit

Return-Path: <alycestokesss at cpo.tn.tudelft.nl>
Received: from e.okayama-u.ac.jp (ACB5956A.ipt.aol.com [172.181.149.106])
        by ledok.seanet.com (8.12.10/8.12.10) with SMTP id i1ID1Zmg003999
        for <kcbacon at seanet.com>; Wed, 18 Feb 2004 05:01:41 -0800 (PST)
Message-ID: <1bdc01c3f5df$e9aa2205$7bc2e9d8 at e.okayama-u.ac.jp>
From: "Alyce Stokes" <alycestokesss at cpo.tn.tudelft.nl>
To: kcbacon at seanet.com
Subject: cheap víagra
Date: Wed, 18 Feb 2004 09:21:59 +0400
MIME-Version: 1.0
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

[Spam-body removed by Erik van Straten]

--i1ID1kmg004129.1077109306/ledok.seanet.com--


========================= example message #2 ==========================

Details:
- 172.182.230.86 is either compromised or the owner is a spammer
- for some reason it is permitted to bypass AOL's proxies
- nearly listed: http://www.spamcop.net/w3m?action=checkblock&ip=172.182.230.86
- spam *claims* to originate from: <jeadt at cpo.tn.tudelft.nl>
- intended spam-recipient: <captainlyle at address.com>
- is apparently redirected via AOL's proxy
- rly-ip05.mx.aol.com has been trying FOUR DAYS to deliver to spam01.address.com
- after FOUR DAYS rly-ip05.mx.aol.com concludes that it cannot deliver
- rly-ip05.mx.aol.com generates DSN and sends it to <jeadt at cpo.tn.tudelft.nl>
- cpo.tn.tudelft.nl: user "jeadt" is unknown
- cpo.tn.tudelft.nl appends this shit as evidence to a file
- I just extracted it
-----------------------------

Return-Path: <>
Received: from mailhost3.tudelft.nl (mailhost3.tudelft.nl [130.161.180.14])
        by cpo.tn.tudelft.nl (Postfix) with ESMTP id 188E497B48
        for <jeadt at cpo.tn.tudelft.nl>; Wed, 18 Feb 2004 13:44:00 +0100 (CET)
Received: from 127.0.0.1 (localhost [127.0.0.1])
        by rav.antivirus (Postfix) with SMTP id 11E0A1198
        for <jeadt at cpo.tn.tudelft.nl>; Wed, 18 Feb 2004 13:44:00 +0100 (MET)
Received: from rly-ip05.mx.aol.com (rly-ip05.mx.aol.com [64.12.138.9])
        by mailhost3.tudelft.nl (Postfix) with ESMTP id 95D281191
        for <jeadt at cpo.tn.tudelft.nl>; Wed, 18 Feb 2004 13:43:59 +0100 (MET)
Received: from localhost (localhost)
          by rly-ip05.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0)
          with internal id HAO06208;
          Wed, 18 Feb 2004 07:40:14 -0500 (EST)
Date: Wed, 18 Feb 2004 07:40:14 -0500 (EST)
From: Mail Delivery Subsystem <MAILER-DAEMON at aol.com>
Message-Id: <200402181240.HAO06208 at rly-ip05.mx.aol.com>
To: <jeadt at dutndo7.tn.tudelft.nl>
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="HAO06208.1077108014/rly-ip05.mx.aol.com"
Subject: Returned mail: Cannot send message within 2 hours
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

--HAO06208.1077108014/rly-ip05.mx.aol.com

The original message was received at Wed, 18 Feb 2004 05:01:59 -0500 (EST)
from smtp-frr06.proxy.aol.com [195.93.93.86]


*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its
delivery.  The address which was undeliverable is listed in the section
labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section
labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could
not be delivered.  The next line contains a second error message which is a
general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail
administrator.

--AOL Postmaster



   ----- The following addresses had permanent fatal errors -----
<captainlyle at address.com>

   ----- Transcript of session follows -----
<captainlyle at address.com>... Deferred: Connection timed out with spam01.address.com.
Message could not be delivered for 2 hours
Message will be deleted from queue

--HAO06208.1077108014/rly-ip05.mx.aol.com
Content-Type: message/delivery-status

Reporting-MTA: dns; rly-ip05.mx.aol.com
Arrival-Date: Wed, 18 Feb 2004 05:01:59 -0500 (EST)

Final-Recipient: RFC822; captainlyle at address.com
Action: failed
Status: 4.4.7
Remote-MTA: DNS; spam01.address.com
Last-Attempt-Date: Wed, 18 Feb 2004 07:40:14 -0500 (EST)

--HAO06208.1077108014/rly-ip05.mx.aol.com
Content-Type: message/rfc822

Received: from  smtp-frr06.proxy.aol.com (smtp-frr06.proxy.aol.com [195.93.93.86]) by rly-ip05.mx.aol.com (v95.1) with ESMTP id RELAYIN2-340333816165; Wed, 18 Feb 2004 05:01:58 -0500
Received: from dutndo7.tn.tudelft.nl (ACB6E656.ipt.aol.com [172.182.230.86])
        by smtp-frr06.proxy.aol.com (8.12.10/8.12.10) with SMTP id i1EGVJ8E023116
        for <captainlyle at address.com>; Sat, 14 Feb 2004 16:31:20 GMT
From: Jae <jeadt at cpo.tn.tudelft.nl>
To: <captainlyle at address.com>
Reply-To: <jeadt at cpo.tn.tudelft.nl>
Subject: patch now available!4UV LsIbDd WVizD
Date: Sat, 14 Feb 2004 11:54:05 -0500
Message-ID: <d4a601c3f31b$5f5c4bfd$4ffe1e4e at szvDlOgB>
In-Reply-To: <3167cdcb29fd$8c17bf89$361d633b at N2Y78c>
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4024
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
X-Accept-Language: en-us, en
X-Authentication-Warning: address.com: majordom set sender to passat-Owner using -f
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Apparently-From: Blitz007513 at aol.com
X-AOL-IP: 195.93.93.86

[Spam-body removed by Erik van Straten]

--HAO06208.1077108014/rly-ip05.mx.aol.com--

======================= end of examples ========================




More information about the list mailing list