Security Basics mailing list archives
Re: Sender Spoofing via SMTP
From: Tomasz Nidecki <tonid () hakin9 org>
Date: Mon, 7 Nov 2005 09:34:41 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: MD5 Friday, November 4, 2005, 5:28:49 PM, Barrie wrote:
On Thu, 2005-11-03 at 15:56 +0000, brandon.steili () gmail com wrote:I know this is a common issue that does not seem to be well addressed,
The issue is well addressed, we all know it's there we all know how it can be fixed and we all know it sucks. You can't rip out SMTP in one go so you have to work around it, which is where things like SPF, digital signing etc.. come in.
Duh... Don't tell me about SPF. What's worst, Microsoft's Sender ID project is being supported more and more often, more and more mailservers are setting up SPF protection. I wonder when people will realize SPF IS BAD AND SHOULD NOT BE USED! 1. The only thing it really protects against is that spammers will not use your domain for sending mail to protected mailservers. So this is not protection against RECEIVING SPAM, but a protection against JOE JOBS AND SUCH. It is also very limited in protecting sender spoofing, because it just disallows spoofing of selected domains on selected servers and I don't believe it will ever be accepted and used globally. 2. If a spammer wants to send spam to an SPF protected server, it's as easy as selecting a domain that: 2.1. either does not have an SPF record at all [most mailservers do not use the strict policy of denying mail from servers that have no SPF records, because if they did, they'd filter out 90% of the Internet...], 2.2. or has an SPF record allowing everyone to send mail from this given domain [which forwarding domains must do, because SPF breaks forwarding] 2.3. or is especially set up by the spammers with such a record [duh, nowadays it's so easy to buy a domain somewhere for five bucks and set it up with an SPF record...] Therefore, SPF does NOT protect agains receiving spam. It's too easy to subvert by the spammers. 3. SPF breaks the idea of mail forwarding completely. Every provider who offers mail forwarding is helpless, when the receiving end is SPF-protected, or mail has to be forwarded with a modified envelope sender address [or even the From: header, if the SPF protection checks that too]. So PLEASE DO NOT USE SPF. Feel free to publish your own records, just for the sake of all those servers that still use it, but don't protect your mailserver using it. - -- Tomasz Nidecki, Sekr. Redakcji / Managing Editor hakin9 magazine http://www.hakin9.org mailto:tonid () hakin9 org jid:tonid () tonid net Do you know what "hacker" means? http://www.catb.org/~esr/faqs/hacker-howto.html Czy wiesz, co znaczy slowo "haker"? http://www.jtz.org.pl/Inne/hacker-howto-pl.html -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUAQ28Ro0R7PdagQ735AQHuxQQArz8zucpZ/rdI2xETgITDnID3Lu3pl7QQ oHl1qjh+I2RAaUHnos0XKn3I/oSipe6bWj3F/LLKUZifb4y4eoHVQFk0ElEDOJvM shuasz8BdiDplF699bJA/asIdxvRBIfPubM6F9qtWhrZbKO0/7XCQPBywBOBVDsA DQGlTC1xoX8= =ug63 -----END PGP SIGNATURE-----
Current thread:
- RE: Sender Spoofing via SMTP, (continued)
- RE: Sender Spoofing via SMTP Andrew Chong (Nov 04)
- Re: Sender Spoofing via SMTP Thierry Zoller (Nov 07)
- Re: Sender Spoofing via SMTP Ansgar -59cobalt- Wiechers (Nov 07)
- Re: Sender Spoofing via SMTP dallas jordan (Nov 04)
- Re: Sender Spoofing via SMTP FocusHacks (Nov 04)
- RE: Sender Spoofing via SMTP Muhammad Naseer Bhatti (Nov 04)
- Re: Sender Spoofing via SMTP Gaddis, Jeremy L. (Nov 04)
- Re: Sender Spoofing via SMTP Florian Streck (Nov 04)
- Re: Sender Spoofing via SMTP Barrie Dempster (Nov 04)
- Re: Sender Spoofing via SMTP Yousef Syed (Nov 07)
- Re: Sender Spoofing via SMTP Tomasz Nidecki (Nov 07)
- Re: Sender Spoofing via SMTP Tomasz Nidecki (Nov 07)
- Re: Sender Spoofing via SMTP jlopez2k5 (Nov 04)
- Re: Sender Spoofing via SMTP jalbuquerque (Nov 04)
- RE: Sender Spoofing via SMTP Tim Ballingall (Nov 04)
- RE: Sender Spoofing via SMTP Craig Wright (Nov 04)
- Re: Sender Spoofing via SMTP brandon . steili (Nov 04)
- Re: Sender Spoofing via SMTP Pranav Lal (Nov 07)
- Re: Sender Spoofing via SMTP Ansgar -59cobalt- Wiechers (Nov 07)
- Re: Sender Spoofing via SMTP Pranav Lal (Nov 09)
- Re: Sender Spoofing via SMTP Chris Moody (Nov 10)
- Re: Sender Spoofing via SMTP Pranav Lal (Nov 07)
- RE: Sender Spoofing via SMTP Andrew Chong (Nov 04)