[LINK] Question re spoofing with bad reply address

Kim Holburn kim at holburn.net
Fri Jul 11 21:39:40 AEST 2014 

I run a mail gateway.  It is a pain these days.  Many people find it easier to outsource email to experts.  You have to constantly keep up with the latest things spammers are doing.  I use a bunch of techniques but you can't bounce emails.  Rarely have I had issues with SPF, only when someone has misconfigured it or misconfigured their DNS.

Spammers constantly scan for mail servers with vulnerabilities.  In this case they found one that bounced emails so they could Joe Job it.(http://en.wikipedia.org/wiki/Joe_job).   Fairly quickly it will run afoul of DBLs or ISPs and people will stop talking to it and/or the owner will fix it or take it down or have it taken down.  I haven't seen Joe Jobs for a while.  Most people don't allow it these days.

On 2014/Jul/11, at 11:59 AM, Jeremy Visser wrote:

> Hi Stephen,
> 
> On 09/07/14 17:35, Stephen Rothwell wrote:
>> SPF is broken by design (consider forwarding - including mailing 
>> lists).
> 
> That’s because you’re forwarding incorrectly.  SPF validation is done based on the envelope, not the To/From headers, and all good mailing list software will fix this for you.  For example, your e-mail from the list to me contained these pertinent headers:
> 
>  From: Stephen Rothwell <sfr at rothwell.id.au>
>  To: Hamish Moffatt <hamish at cloud.net.au>
>  Sender: link-bounces at mailman.anu.edu.au
>  Return-Path: <link-bounces at mailman.anu.edu.au>
> 
> And the SMTP exchange would (presumably) have begin with "MAIL FROM:<link-bounces at mailman.anu.edu.au>".  Therefore, the SPF validation is done against whether the sender can send from mailman.anu.edu.au, not rothwell.id.au.
> 
> A different situation I commonly encounter where forwarding happens but the envelope doesn’t change is if you deploy a spam filtering box (e.g. Postfix + Amavisd) in front of another box (e.g. MS Exchange).  If you don’t tell the downstream box (in this case, the MS Exchange box) to fully trust the upstream box, then it may erroneously perform SPF validation (MS calls it Sender ID validation, but same diff) on incoming messages (which will obviously fail).  I don’t see this as an SPF failure — rather, it’s a misconfiguration that stems from not thinking about the mail flow properly.
> 
> Jeremy.
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list