On Sun, Feb 21, 2010 at 10:59:08PM -0600, James Hess wrote:
But if the origin domain has not provided SPF records, there are some unusual cases left open, where a bounce to a potentially fake address may still be required.
Third time: SPF plays no role in mitigating this. Nothing stops an attacker from using a throwaway domain to send traffic to known backscatterers, who will then backscatter it to $throwawaydomain, whose MX's are set to $victim's MX's. This is not a hypothetical, BTW, and there are a number of more interesting attack scenarios that I'll leave as an exercise for the reader. (Some of these have been discussed in detail on spam-l, and may be found in the archives.) However, even if SPF is in play, a surprising (and perhaps disturbing) number of mail operations authenticate users but then do not require that the sender match the authenticated user. This permits the attacker to use joe@example.com to target sue@example.com with backscatter, if the user-part can be set independently. (Even if sue@example.com does not exist, it still permits targeting of example.com.) And if the domain-part can be set independently, then obviously third parties can be targeted. (Again, see the archives of spam-l where all of this has been analyzed and discussed in great depth.) Yes, yes, yes, we can argue that some of this is bad mail system practice on the part of example.com, and we can argue that this is bad security practice on the part of joe, and both of these arguments have merit, but it's one the first principles of abuse control that abuse should always be squelched where possible, never passed on, reflected or even worse, amplified. A little transient schadenfreude might feel good, but it's poor operational practice -- it's never appropriate to respond to abuse with abuse. ---Rsk