On 19/11/2012 20:02, News wrote:
> In message <aEtqs.598679$Ol2.4...@fx25.am4>, Neil Jackson
> <ja...@techno.demon.co.uk.invalid> writes
>
> <snip extremely useful information>
>
>> The solution is *NOT* 'use SPF'.
>>
>> My apologies again for assuming to 'correct' Richard's definition;
>> hopefully he/you won't mind unduly as my intentions are honourable! :)
>
> Neil, thank you. I now feel that I understand the risk involved, if not
> the technicalities behind it.
Glad to have helped, Graeme.
> I asked for SPF to be switched off last
> week, and received a message from Demon, saying that it had been
> switched off today.
>
> Lo and behold, two series of e-mails that had stopped post migration
> suddenly started to arrive. The first, which I did not miss (!) was a
> notification from Facebook. The second, which I did miss, was all
> postings to a non Yahoo mailing list. I don't really know enough about
> headers to post them for examination - or more correctly, I'm not sure
> which parts I shouldn't post! Anyway, switching off SPF seems to have
> had the desired effect, and I will continue to be vigilant when
> receiving messages purporting to arrive from Paypal etc.
At the risk of boring, I'll try and summarise what is and was happening
with the Facebook messages.
Facebook.com's DNS data (on the primary machine that is 'boss' for
Facebook's DNS data -
a.ns.facebook.com) reveals a TXT record containing:
"v=spf1 ip4:69.63.179.25 ip4:
69.63.178.128/25 ip4:
69.63.184.0/25
ip4:
66.220.144.128/25 ip4:
66.220.155.0/24 ip4:
69.171.232.128/25
ip4:
66.220.157.0/25 ip4:
69.171.244.0/24 mx -all"
In a nutshell, that's a list of all IP addresses which Facebook consider
'valid' as potential senders of emails with '
facebook.com' as the latter
half of their 'SMTP MAIL FROM' envelope header (ie the 'from' header
that mailservers see during the handover process, not the 'from header
that we humans see in our email programs).
Note particularly the '-all' bit at the end - the 'catch all'. That's
Facebook's way of saying "if the IP address giving you
facebook.com
email is not on this list, then we denounce it utterly (i.e. 'hardfail')"
Now, this data languishes unseen in Facebook's DNS until someone deigns
to check it. Pre-migration, Demon never checked it. Post-migration, they
have started to (unless you get off it, as you have just done).
When Demon do an SPF validation, they examine the SMTP envelope of the
incoming message to find the bit after the @ (the domain) and then they
look up TXT records in that domain's DNS servers, hunting for a valid
SPF record (i.e. one that starts with v=spf1 or similar).
If they don't find one, that's the end of the quest - this domain
clearly doesn't vouch for its mailservers' IP addresses using SPF, so
nothing good nor bad should be deduced, and the message (hopefully)
proceeds unhindered through that SPF-checking step. It may also now be
marked (by Demon, the receiving-mailserver) internally in the headers as
'SPF=none' or similar, or not marked at all.
However, if Demon DO find a valid SPF record, the next step is to
determine whether the mailserver currently trying to send a message
purporting to be from this domain under scrutiny, has an IP address that
matches one on this newly-found list. If it does match, then the message
is considered validated by the SPF process and again, proceeds
unhindered on to the next mail-checking steps, if there are any, and/or
delivery to the recipient. It may be marked 'SPF=passed' or similar, in
the process.
However, if the mailserver's IP address does *not* match any of the IP
addresses on this SPF list (or any of the expanded lists referred to in
it), then it is deemed to have failed. Demon then need to determine the
severity of this failure, using the opinion of the people who run the
domain. In this case, Facebook have deemed (via the '-all' setting) that
failures are all 'hardfail' - i.e. highest severity. They have opted to
warn everybody that 'Facebook' email from IP addresses other than
theirs, are most-seriously undesirable. Demon responds to this discovery
by simply deleting the message and hanging up the connection from the
incoming mailserver that's trying to send it. Google, in contrast, will
merely mark the message 'SPF=hardfail' and carry on processing it (but
possibly with a dimmer view of it, and presumably a greater possibility
of it ending up in a spam or quarantine bucket which the user may have
to manually check to find it).
And it's that simple. Works great, on the face of it, doesn't it?
Except when - as you have discovered - you have your *genuine* Facebook
mail sent first to '
us...@mydomain.com' and then forwarded on to your
'
us...@myhost.demon.co.uk' address.
In this situation, the intermediate ISP (responsible for mail in the
mydomain.com domain) will connect to Demon and duly begin to hand over
the email, but crucially, it will still be using the original SMTP
'from' envelope header (i.e. MAIL FROM:
some...@facebook.com) during
the handover conversation. Demon in due course, will repeat the
SPF-checking operation; it'll look for TXT/SPF records in Facebook's
DNS, and then scan any found list for the IP address of the mailserver
which is connected to them at the time (i.e.
mydomain.com's mailserver's
IP address). But of course, this time, it will NOT find it on Facebook's
list of nominated servers. So it will fall back to Facebook's 'catch
all' severity and handle the message on that basis - and because Demon's
methodology for '-all' hardfails is 'delete it', your message ends up in
the bin. Plonk!
If Facebook had opted for a lower level of severity (~all : softfail, or
?all : neutral) then Demon would not have deleted the message, and would
have just marked it somewhere and carried on handling it, albeit maybe
with 'kid gloves' now (much like Google do).
Alternatively, if Demon weren't quite so 'trusting' with regards to
their belief that hardfail is *always* a reason for deletion, then
similarly, we might still get messages. Personally, if Demon opted for a
'marking of hardfails' strategy I would have been marginally more
tempted to continue allowing use of SPF-checking of my inbound email
(because it can be a useful extra data-point when measuring for
spamminess). But when a major ISP routinely deletes *all* hardfail
messages, knowing full well that a lot of its users will be using
vanity-domain email-forwarding, this is imho cavalier behaviour, and
(unless they offer alternative handling) the only option to prevent
forwarded email vanishing, is to get SPF-checking turned off. Demon then
stop doing the initial lookup of the connecting mailserver's IP address
in the envelope-sender's DNS, and thus is tantamount to 'doing nothing'
or 'finding no SPF data'.
As Richard says, it will mean that on occasion, you'll get email from
random third-party addresses that have not been 'denounced' by the
genuine domain's DNS/SPF data when they should have been, but if you
(i.e. one, the user generally) don't know to read headers or check the
authenticity of OTHER types of spoofed email, this actually of marginal
benefit, and (imho) will lull one into a false sense of security anyway.
It's also true that if a domain decides to use 'softfail' or 'neutral'
as its public opinion on 'severity of fails', then you will STILL
receive spoofed emails that have that domain's email addresses in the
SMTP envelope headers - so again, most users may misread the level of
security brought by SPF, and falsely trust it.
I have a feeling that SPF is more about protection from liability of the
spoofed domain, than any real attempt to stop users getting junk or
dangerous phishing emails. In other words, the legal beagles wanted
something that enables them to stand up in court and prove to the most
technically-illiterate of judges that they've taken all "necessary
precautions" to prevent spoofed SMTP envelopes. It won't actually stop
*all* spoofed 'from' headers (in-message or in-envelope), or stop
phishing emails crafted by other methods (e.g. such as sending them via
hacked machines inside the spoofed domain's own network, thus using
genuine IP addresses). But it will make life easier for lawyers looking
to blame it on the poor sod who fell for it.
As always, it's not really about our protection, it's about theirs - but
they'll tell us it's about ours, in order to make us all adopt it...
"A million flies can't be wrong. Eat SPF!"
I neglected (until now) to mention one last 'catch all' setting that a
domain can adopt. The SPF standard includes '+all' as a setting which
basically says "also trust everything that *isn't* on the list of IP
addresses given here in our DNS's SPF record". In a sense, it's a
'vouch-all'. I've never been entirely sure why the SPF spec did this -
perhaps for testing, or perhaps they were aware that some domains would
need 'everything everywhere' capability. But the point is, this
technique means that some domains - those who think SPF sucks, but who
realise that some really stupid ISPs or mailservers *may* throw mail
away even if it simply doesn't have an SPF record at all (i.e. the
'SPF=none' case above) - can prevent this, and have that mailserver look
them up and still 'pass' the SPF test.
However, it also opens a door for spammers, and we're already seeing it
happen. The spammer registers a throwaway domain at some low-quality
DNS-registrar/DNS-host in a foreign country, and sets up the throwaway
domain's DNS data to include an "v=spf1 +all" TXT record. He then begins
mass-emailing messages from a billion hijacked PCs 'out there' in his
botnet, and each outgoing message has an SMTP 'MAIL FROM' envelope
address purporting to be from his throwaway domain. Any mailserver en
route that does SPF lookups will check the throwaway domain's DNS data
for an SPF record and will find the simple '+all' entry therein. At that
point, the receiving mailserver will believe this mail to be 'genuine'
(in the context that it has genuinely come from 'throwaway domain'),
will mark it 'SPF=passed' and continue its delivery. So they've proved
and protected nothing at all, just wasted some resources looking things
up in the DNS.
Of course the throwaway domain will eventually reach the spam
blacklists, or be deleted when it turns out the credit-card used to pay
for it was stolen, or the simple fact that the botnetted PCs will all
end up being IP blacklisted will render them useless - but the spammer
won't care. He'll just move on to his next bunch of unhindered zombie
PCs, create a new domain (perhaps with a new registrar or a different
credit-card) and begin the trick. He's getting paid for this, don't forget.
On the face of it, such '+all' tricks aren't *necessarily* going to put
us at greater risk, but there are dangers when you look more closely. As
always, it's the human factors that are most evident here:
If the in-message 'from' header was a Paypal.com address, the end-user
is potentially more prone to believe it. "All my email is SPF-checked,
after all, and if this one got through, it must be ok, surely?" goes the
reasoning.
Secondly, some ISPs (naming no names) appear to be relying more strongly
on SPF validation successes than they do on old-fashioned anti-spam
checks, like looking up IP addresses in realtime blacklists (RBLs such
as SpamCop, Spamhaus, et al). Some may even be *circumventing* those RBL
checks if a message has 'SPF-validated' itself, to save on resources -
in which case such tricks as we've seen with the throwaway domain '+all'
trick can result in the message being more trusted at a machine-level.
This would be madness, of course, but there is the potential for this to
happen. I never ever thought Demon would 'believe' in SPF to the degree
it already has - goodness knows what level of belief other ISPs might
apply to it!
At the very least, the presence of the '+all' trick means that nothing
much has really changed from the old days.
We'll still get spoofed.
Technicians will still *easily* be able to see (after the fact) whether
a message genuinely came from a 'from' header's stated domain. End-users
on the whole will still struggle to work this out reliably.
Judges will still believe what they're told by 'experts', and lawyers
will still rub their hands and fill their wallets, just a bit more
easily than before.
People will still get phished, but the difference now is they'll also
lose more genuine email, especially if they forward it to themselves
from their other accounts, or if a genuine mail-sender misconfigures
their own SPF records (as regularly happens).
Marvellous, isn't it? Solution, it is not.
--
Neil