[DShield] SPF is fundamentally flawed

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Thu Feb 19 00:04:21 GMT 2004


John,

On Wed, 18 Feb 2004 09:02:00 -0800 John Hardin wrote:
> aol.com.                300     IN      TXT     "v=spf1
> ip4:152.163.225.0/24 ip4:205.188.139.0/24 ip4:205.188.144.0/24
> ip4:205.188.156.0/24 ip4:205.188.157.0/24 ip4:205.188.159.0/24
> ip4:64.12.136.0/24 ip4:64.12.137.0/24 ip4:64.12.138.0/24 ptr:mx.aol.com
> ?all"
> 
> Yikes. Do they *really* have nine class-C blocks devoted to outbound
> email? I did a few reverse lookups in those blocks and didn't see any
> names suggestive of client IPs...

You're correct, my mistake! I erroneously assumed that SPF would include
all of their customer IP's, and I see no 172.x IP's in AOL's SPF records.

However, the second example in my former post in this thread points out
that all SMTP traffic sent by "forceably proxied" AOL customer IP's does
include spam. *SPF* will not block those spams if the AOL PC says:
	MAIL FROM: <irrelevant at aol.com>
or perhaps:
	MAIL FROM: <AnyExistingAOLCustomer at aol.com>
to proxy.aol.com, and proxy says the same to the final recipient MTA.

To illustrate that the event in my former post was not an incident I'll
append recent headerlines generated by AOL's proxy at the end of this
message.

Furthermore, if AOL permits some of their customer IP's to bypass the
AOL egress SMTP proxy, then why don't they setup SPF records for those
IP's? Or does AOL assume (and permit) that those customers do *not* use
AOL email addresses (at least in the return-path)?

Info from the last "proxy.aol.com bypass" spam-bounce I have on file:

| Received: from argovision.de (ACB1E0CC.ipt.aol.com [172.177.224.204])
| 	by mx02.cei.net (8.12.9/8.12.9) with ESMTP id i1INGEVK009960
| 	for <dbridges at cei.net>; Wed, 18 Feb 2004 17:16:27 -0600
| From: "Quinton K. Dudley" <quinton_dudley_hk at cpo.tn.tudelft.nl>
| Message-ID: <241c01c3f666$0b736072$d1975228 at shockqcpm>
| Date: Wed, 18 Feb 2004 21:30:28 +0000
| Subject: You and I know you're short...

Sorry for my mistake (regarding AOL 172.x not being listed in SPF).
Note that I don't see how this would affect my claim that SPF is flawed.

Regards,
Erik van Straten
Delft university of Technology


Last week's spamming AOL customer PC's via *.proxy.aol.com that were
spoofing non-existant email addresses on my MTA (which is why I have
them on file), and that could not be delivered for whatever reason (so
this is likely a *fraction* of spam sent via AOL's proxy). SPF may
have blocked these if I whould have setup SPF records for my site.
However, these WOULD have been sent if the spammers had used
  MAIL FROM: <regardless at aol.com>
(in that case I wouldn't have received the bounces, but *SPF* would
not have prevented any -existing- spam recipient from receiving spam).

In chronological order of receipt by my MTA (full messages on request):
---------------------------------------------------------------------------
Received: from dutndo7.tn.tudelft.nl (ACB7C21F.ipt.aol.com [172.183.194.31])
	by smtp-frr06.proxy.aol.com (8.12.10/8.12.10) with SMTP id i1FIeLZE021933
	for <invbxonlysia at raisingadaughter.com>; Sun, 15 Feb 2004 18:40:22 GMT

Received: from the-amazing-labs.de (ACB19099.ipt.aol.com [172.177.144.153])
	by smtp-frr01.proxy.aol.com (8.12.10/8.12.10) with ESMTP id i1FJwa33005846
	for <hectortavares at starmedia.com>; Sun, 15 Feb 2004 19:58:39 GMT

Received: from germanartists.de (ACC79895.ipt.aol.com [172.199.152.149])
	by logs-ntc-tg.proxy.aol.com (8.12.10/8.12.10) with ESMTP id i1FKtufv023390
	for <j.vdboss at yucom.be>; Sun, 15 Feb 2004 20:56:01 GMT

Received: from as.airnet.ne.jp (ACB19099.ipt.aol.com [172.177.144.153])
	by smtp-frr02.proxy.aol.com (8.12.10/8.12.10) with ESMTP id i1FN7laC006325
	for <rugasira at engineer.com>; Sun, 15 Feb 2004 23:07:49 GMT

Received: from microbase.de (ACB19099.ipt.aol.com [172.177.144.153])
	by smtp-frr02.proxy.aol.com (8.12.10/8.12.10) with ESMTP id i1FJ96aF025284
	for <duguqiubai430 at sohu.com>; Sun, 15 Feb 2004 19:09:15 GMT

Received: from osakk.fi (ACB19099.ipt.aol.com [172.177.144.153])
	by smtp-frr02.proxy.aol.com (8.12.10/8.12.10) with ESMTP id i1G1AgaB014913
	for <deboisbn at notes.udayton.edu>; Mon, 16 Feb 2004 01:10:43 GMT

Received: from orion-online.com.au (ACD3724A.ipt.aol.com [172.211.114.74])
	by smtp-dtc02.proxy.aol.com (8.12.10/8.12.10) with SMTP id i1F9deZT010745
	for <afonsocsf at bol.com.br>; Sun, 15 Feb 2004 09:40:06 GMT

Received: from p3.f2.n5025.z2.gate.phantom.msk.su (ACB1A36A.ipt.aol.com [172.177.163.106])
	by smtp-frr02.proxy.aol.com (8.12.10/8.12.10) with ESMTP id i1I25raD013769
	for <afickessen at pdq.net>; Wed, 18 Feb 2004 02:06:00 GMT

Received: from micl.co.uk (ACB845F8.ipt.aol.com [172.184.69.248])
	by smtp-frr07.proxy.aol.com (8.12.10/8.12.10) with ESMTP id i1I2WQMZ017556
	for <bigal at gis.net>; Wed, 18 Feb 2004 02:32:33 GMT

Received: from dutndo7.tn.tudelft.nl (ACB6E656.ipt.aol.com [172.182.230.86])
	by smtp-frr06.proxy.aol.com (8.12.10/8.12.10) with SMTP id i1EGVJ8E023116
	for <captainlyle at address.com>; Sat, 14 Feb 2004 16:31:20 GMT

Received: from skandia.com.mx (ACB8D6B5.ipt.aol.com [172.184.214.181])
	by smtp-frr06.proxy.aol.com (8.12.10/8.12.10) with ESMTP id i1IJSZhB026014
	for <charley at quixnet.net>; Wed, 18 Feb 2004 19:28:38 GMT
---------------------------------------------------------------------------




More information about the list mailing list