Spammers Skirt IP Authentication Attempts

Robert_Bonomi · September 8, 2004, 8:15pm

Date: Wed, 8 Sep 2004 20:15:01 +0100 (BST)
From: Chris Edwards <C.Edwards@compserv.gla.ac.uk>
Subject: Re: Spammers Skirt IP Authentication Attempts

> SPF verification query gets returns one of three kinds of result:
> 1) MISMATCH on point-of-origin vs domain 'authorized' senders. *VERY*
> probably spam.

Either spam, or almost any item of forwarded mail

Beg to differ. Forwarded mail almost always shows an 'envelope from' of the
_forwarding_ party.

Case in point: all email, sent to nanog is 'forwarded' to me, and the other
readers of the list. It has an "inside address" (per the 'From:' header) of
whomever authored the message. *BUT*, the 'envelope from', in the SMTP
transaction is completely different: <owner-nanog@merit.edu>

A _successful_ SPF check on 'merit.edu' would, hopefully include 198.108.1.26
(trapdoor.merit.edu) in the list of 'official outgoing mail sources. Ignoring
for the moment the fact that Merit hasn't added SPF records to DNS yet.

Same thing applies for 'simple' forwarding via sendmails '~/.forward'
mechanism. the mail server 'accepts' the mail from the original source,
and then 're-sends' to the new destination. That re-send originates as
the _forwarding_party_, WITH an 'envelope from' of that forwarding party,
even though the internal content ofthe message may show a _different_,
and unrelated, "From" address.

An SPF check of the _immediate_ sender does *NOT* break forwarded mail.
Unless the forwarding process is _totally_ borken, that is. <grin>

Daniel_Reed1 · September 8, 2004, 8:59pm

) Same thing applies for 'simple' forwarding via sendmails '~/.forward'
) mechanism. the mail server 'accepts' the mail from the original source,
) and then 're-sends' to the new destination. That re-send originates as
) the _forwarding_party_, WITH an 'envelope from' of that forwarding party,
) even though the internal content ofthe message may show a _different_,
) and unrelated, "From" address.

My experience with Sendmail has been that the envelope sender is retained
through /etc/aliases or ~/.forward. I can confirm that qmail's .qmail
definitely retains the envelope sender of the original message.

MAIL From:<user@example.com>
RCPT To:<aliasuser@example.net>

Received: from outgoing.example.com by mail.example.net
Received-SPF: pass: outgoing.example.com allowed for example.com

MAIL From:<user@example.com>
RCPT To:<realaddress@example.org>

Received: from mail.example.net by incoming.example.org
Received-SPF: fail: mail.example.net NOT allowed for example.com

Mailing lists get away with changing the envelope sender because the
original sender does not actually expect to receive DSNs for the message for
individual subscribers. Forwarding sites, on the other hand, can not simply
modify the envelope sender; DSNs *are* expected to track back to the
originating sender through a simple forward.

One proposal is to allow forwarding sites to modify the envelope sender in
such a way as to encode the original envelope sender in the LHS of an
@forwarding.site address. For example:

MAIL From:<bounce-user=example.com@example.net>
RCPT To:<realaddress@example.org>

Received: from mail.example.net by incoming.example.org
Received-SPF: fail: mail.example.net allowed for example.net

A naive scheme would allow for open relaying, however. A widely-deployed
naive scheme could be used by spammers to send mail to arbitrary addresses:

for i in $list; do
mail bounce-$(echo $i | sed s/@/=/)@example.net < myspam
done

At least one anti-spam group has claimed they will list mail servers from
forwarding sites that use such an easily-exploited scheme.

_Stephane_Bortzmeyer · September 10, 2004, 7:55am

a message of 37 lines which said:

Same thing applies for 'simple' forwarding via sendmails '~/.forward'
mechanism. the mail server 'accepts' the mail from the original source,
and then 're-sends' to the new destination. That re-send originates as
the _forwarding_party_, WITH an 'envelope from' of that forwarding
party,

Sorry, this is simply not true (sendmail, postfix, etc, always keep
the original envelope from when forwarding).

An SPF check of the _immediate_ sender does *NOT* break forwarded
mail.

Even SPF people say it:

http://spf.pobox.com/faq.html#forwarding

Joe_Rhett2 · September 10, 2004, 8:57am

Robert Bonomi <bonomi@mail.r-bonomi.com> wrote

> Same thing applies for 'simple' forwarding via sendmails '~/.forward'
> mechanism. the mail server 'accepts' the mail from the original source,
> and then 're-sends' to the new destination. That re-send originates as
> the _forwarding_party_, WITH an 'envelope from' of that forwarding
> party,

Sorry, this is simply not true (sendmail, postfix, etc, always keep
the original envelope from when forwarding).

I'm not sure where "true" diverges from reality in your analysis, but
perhaps you should create one of those mail environments and test before
you put your foot in your mouth again?

_Stephane_Bortzmeyer · September 10, 2004, 10:02am

a message of 19 lines which said:

I'm not sure where "true" diverges from reality in your analysis,
but perhaps you should create one of those mail environments and
test before you put your foot in your mouth again?

Good idea, I plan to install a Fedora this week-end and to learn a bit
about Postfix. Your wide experience will certainly help.

If you think that sendmail or postfix modify the "enveloppe from" when
forwarding, I suggest that you send your big discovery to the IETF
MARID working group, where it may change a lot of things in the
current discussion about Sender-ID