nanog mailing list archives

Re: Spammers Skirt IP Authentication Attempts

From: Daniel Reed <n () ml org>
Date: Wed, 8 Sep 2004 16:59:14 -0400 (EDT)


On 2004-09-08T15:15-0500, Robert Bonomi wrote:
) Same thing applies for 'simple' forwarding via sendmails '~/.forward'
) mechanism.  the mail server 'accepts' the mail from the original source,
) and then 're-sends' to the new destination.  That re-send originates as
) the _forwarding_party_, WITH an 'envelope from' of that forwarding party,
) even though the internal content ofthe message may show a _different_,
) and unrelated, "From" address.

My experience with Sendmail has been that the envelope sender is retained
through /etc/aliases or ~/.forward. I can confirm that qmail's .qmail
definitely retains the envelope sender of the original message.

MAIL From:<user () example com>
RCPT To:<aliasuser () example net>

Received: from outgoing.example.com by mail.example.net
Received-SPF: pass: outgoing.example.com allowed for example.com

MAIL From:<user () example com>
RCPT To:<realaddress () example org>

Received: from mail.example.net by incoming.example.org
Received-SPF: fail: mail.example.net NOT allowed for example.com


Mailing lists get away with changing the envelope sender because the
original sender does not actually expect to receive DSNs for the message for
individual subscribers. Forwarding sites, on the other hand, can not simply
modify the envelope sender; DSNs *are* expected to track back to the
originating sender through a simple forward.

One proposal is to allow forwarding sites to modify the envelope sender in
such a way as to encode the original envelope sender in the LHS of an
@forwarding.site address. For example:

MAIL From:<bounce-user=example.com () example net>
RCPT To:<realaddress () example org>

Received: from mail.example.net by incoming.example.org
Received-SPF: fail: mail.example.net allowed for example.net


A naive scheme would allow for open relaying, however. A widely-deployed
naive scheme could be used by spammers to send mail to arbitrary addresses:

for i in $list; do
        mail bounce-$(echo $i | sed s/@/=/)@example.net < myspam
done

At least one anti-spam group has claimed they will list mail servers from
forwarding sites that use such an easily-exploited scheme.

:(

-- 
Daniel Reed <n () ml org>       http://people.redhat.com/djr/   http://naim.n.ml.org/
1832 Savior214: that sucks that one day your just gonna die and all that
work you did learning stuff just gets a rm -rf

Current thread:

Re: Spammers Skirt IP Authentication Attempts, (continued)
- - - Re: Spammers Skirt IP Authentication Attempts Suresh Ramasubramanian (Sep 08)
    - Re: Spammers Skirt IP Authentication Attempts Paul Vixie (Sep 08)
    - Very peculiar Telnet probing (possibly spoofed?) Jeff Kell (Sep 08)
    - Re: Very peculiar Telnet probing (possibly spoofed?) Suresh Ramasubramanian (Sep 08)
    - Re: Very peculiar Telnet probing (possibly spoofed?) Chris Brenton (Sep 09)
    - Re: Spammers Skirt IP Authentication Attempts [operational content at end] Rich Kulawiec (Sep 09)
- Re: Spammers Skirt IP Authentication Attempts Edward B. Dreger (Sep 06)
- Re: Spammers Skirt IP Authentication Attempts Paul Jakma (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Robert Bonomi (Sep 08)
- Re: Spammers Skirt IP Authentication Attempts Robert Bonomi (Sep 08)
  - Re: Spammers Skirt IP Authentication Attempts Daniel Reed (Sep 08)
  - Re: Spammers Skirt IP Authentication Attempts Stephane Bortzmeyer (Sep 10)
    - Re: Spammers Skirt IP Authentication Attempts Joe Rhett (Sep 10)
    - Re: Spammers Skirt IP Authentication Attempts Stephane Bortzmeyer (Sep 10)