On Fri, 2006-10-27 at 14:11 +0200, Florian Weimer wrote:
* Douglas Otis:
Spam being sent through Bot farms has already set the stage for untraceable DNS attacks based upon SPF. In addition to taking out major interconnects, these attacks can:
a) inundate authoritative DNS;
b) requests A records from anywhere;
c) probe IP address, port, and the transaction IDs of resolvers;
(b) and (c) are not new developments because lots of MTAs already perform A lookups on HELO arguments, and MX lookups on sender domains.
Each message's SPF script can prompt for web-site addresses while also inundating the web-site's DNS with other randomized requests. Network gains achieved by each script can reach 70:1, and when instances of execution (MTA/MUA, MAILFROM/PRA/DKIM, and recipient) are considered, gains per message may exceed 1000:1 while still permitting delivery and while not exposing who their victim was.
While not as bad as eavesdropping, it still places the network and the integrity of DNS at risk. All of this while the spam is still being delivered. What a productivity tool!
The purpose of SPF, as it is deployed, is to facilitate routing solicited bulk email around spam filters. Look at email.bn.com/IN/TXT to get the idea. This application requires some of the indirection features offered by SPF.
The risk is from an amplification achieved by SPF scripts while still hiding which messages are attacking. Bulk senders can use APL RRs (42) (see rfc3123) to list the CIDRs of their SMTP clients without imposing these risks. Standardized prefixes such as _smtp-c0 and _smtp-c1 permits chaining signaled with a "continuation" address-family, as example. Executing powerful SPF scripts from strangers is a heavily promoted bad idea that truly needs to be discouraged. -Doug