[DShield] SPF is fundamentally flawed

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Thu Feb 19 23:25:16 GMT 2004


On Thu, 19 Feb 2004 08:55:58 -0500 Bruce Lilly wrote:
> SPF may indeed be flawed, but your complaint seems to boil down to the
> fact that you are receiving non-delivery notices for messages sent to
> non-existent addresses, giving a forged sender address. That is due to
> poor design of some MTAs, and/or use of intermediate SMTP relays, which
> has nothing to do with SPF. 

I was bringing this up because SPF is best at stopping Joe-jobbed
sites from receiving those bounces. I do agree that "Best Current
Practice" of MTA's should be to reject mail (right after RCPT TO) that
they cannot deliver.

However, bouncing (I mean sending delivery status notifications) is
in conformance with all RFC's, and MOST huge sites do it this way: AOL,
Yahoo, Postini, Messagelabs etc. - currently they see more advantages
in accepting mail for <anyuser at theirdomain.tld> and bouncing later.

> Nor is it a problem that SPF purports to address.

http://spf.pobox.com : "SPF was originally designed to prevent joe-jobs."

[Skipping your explanation of the email transactions, I mostly agree]

> The latter then wrongly sent the non-delivery notice to the (forged)
> address in the message "From" header field.  This once more has nothing
> to do with SPF; it is simply misconfiguration of AOL's MTAs.

AOL's MTA's are RFC-compliant. However AOL has introduced SPF records
(which is why I used them as an example) probably because spammers often
use MAIL FROM: <someone at aol.com> from *any* backdoored PC in the world.
This causes AOL to get many bounces for spams that cannot be delivered,
while it did not originate from AOL PC's.

> AOL has recorded the originator id and IP address, so you can forward
> a complaint about the original to abuse at aol.com.

My last messages to this list had CC's to that address; I've not received
any replies. And I really don't expect them. These are issues with paying
customers who do not understand if AOL abuse tells them their PC's have
been hacked. If AOL disconnects them, they may move on to another ISP.

> It's also quite a bit of a stretch to consider either this issue or SPF
> to be a security issue, so it's not at all clear why this was posted to
> the Dshield list in the first place (vs. e.g. the ASRG list).

>From the first post in this thread (note, incidents.org = dshield.org):
> http://isc.incidents.org/diary.html?date=2004-02-16
> > SPF is an attention getting and growing effort to fight "email address
> > forgery and makes it easier to identify spams, worms, and viruses".

The examples I've provided were there to show that we're dealing with a
big problem. IMO we should pay attention to spam and virus originators,
e.g. huge networks of compromised DSL and dialup PC's, and not waste time
on "solutions" (that will not work) like SPF.

Erik van Straten

More information about the list mailing list