Mailing List Archive

Martin Hatch wrote:
> My suggestion is quite simple, but I think would provide a much higher
> level of security and verification that the Email Server was actually
> responsible for the resulting spam message.
>
> Basically, every time an email is sent from an email server the first
> (for example) 32 bits of the packet header are stored (this can be
> hashed / encrypted) by the Email server in a log, along with a
> timestamp. This log would be capable of storing for a determined length
> of time (for example 1 week).
>
> When an email is received from that domain, then (like the SPF) the
> receiving email server can check the authenticity of the message by
> first making sure that the Server exists (as per the SPF records).
> However, it can then go one step further. It transmits the first
> 32-bits of the packet header (along with a timestamp) to that server,
> and asks if it has the details in it's Log.
>
> The originating server receives this pakcte header, encrypts it and
> compares it to the values stored in the Log (along with the
> timestamp?). It can then send a simple yes/no acknowledgement to verify
> if that email was actually sent from that server!

You're essentially describing a hash function. What about hash
collisions?

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Martin Hatch wrote:

> I must apologise if this idea has already bounced around, but I was
> discussing the pro's and con's of SPF with my colleague and hit upon
> an idea.
>
> With raw socket capability (and subsequent abilities to falsify IP
> address, mac address and other information) the current SPF model is
> limited in it's ability to eradicate Spam.

I'm not a big time admin of any kind, but my feeling is that if you
can't trust the source IP address of an email to be correct then you
have a much bigger problem with the network than SPF could ever hope to
solve. Aren't there ways to cut down on TCP spoofing? syn cookies and
the like?

I do also feel that this sort of problem is outside the scope of SPF...
so ignore me if you'd like, maybe I'll ignore myself.

--Jonathan

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Someone correct me if I'm wrong, but if the sender spoofs the real IP address, then the SMTP server will not be able to return the proper SMTP codes/results to the sender (it will be attempting to send them to the fake IP and will thus fail). Without the proper two way communication, the sender will never even be able to reach the point to where an email can be sent...

Roberto

________________________________

From: owner-spf-devel@v2.listbox.com [mailto:owner-spf-devel@v2.listbox.com] On Behalf Of Martin Hatch
Sent: Wednesday, March 09, 2005 1:07 PM
To: spf-devel@v2.listbox.com
Subject: [spf-devel] Suggestion - Message Verification


I must apologise if this idea has already bounced around, but I was discussing the pro's and con's of SPF with my colleague and hit upon an idea.

With raw socket capability (and subsequent abilities to falsify IP address, mac address and other information) the current SPF model is limited in it's ability to eradicate Spam.

My suggestion is quite simple, but I think would provide a much higher level of security and verification that the Email Server was actually responsible for the resulting spam message.

Basically, every time an email is sent from an email server the first (for example) 32 bits of the packet header are stored (this can be hashed / encrypted) by the Email server in a log, along with a timestamp.
This log would be capable of storing for a determined length of time (for example 1 week).

When an email is received from that domain, then (like the SPF) the receiving email server can check the authenticity of the message by first making sure that the Server exists (as per the SPF records).
However, it can then go one step further. It transmits the first 32-bits of the packet header (along with a timestamp) to that server, and asks if it has the details in it's Log.

The originating server receives this pakcte header, encrypts it and compares it to the values stored in the Log (along with the timestamp?). It can then send a simple yes/no acknowledgement to verify if that email was actually sent from that server!

Now, I'm sure there are people out there thinking ... "store logs of every email we've ever sent!!!"
Well, that is NOT the case.

You only have to log the encrypted 32-bit header, along with a simple Date-Time stamp, for future interrogation. You also don't need to save every email's details (as you only want to be able to verify those emails that are being sent and received right now) so no more than 1 week would be necessary in most cases!

Let us take an example company, who sends 50,000 emails per day from their beefy server.
They store a simple encrypted 4-byte (32-bit) packet header along with an 8-byte timestamp.
This represents 600,000 bytes of raw data per day.
Over the space of 1 week, that is only 4 megabytes!!

Even the extraordinary requirements of Hotmail Servers, sending (for example) 100,000,000 emails per week. such a log would represent around 1 gigabyte of data (and indexed by timestamp would be quite fast to query). And thats only if they keep entire 7 days logs .. they could quite reasonably request to keep only 1 day of logs instead .. drastically reducing requirements.

This system would bring together a distributing network of authorised servers (such as SPF) but at the same time tie in a solid backbone for verifying if every single email that is sent across the internet comes from a valid email server, and evidence of such is logged for verification.

No-one can tell what encryption method a particular email server uses (as there is no public / private key exchange .. the encryption is kept entirely secure as the email server itself is simply comparing one encrypted value with another)

Given that a tiny email will consist of thousands of bytes, transmitting 4 byte packets for verification is hardly an increase in network resources.

I hope you have gotten this far in reading my proposal. I am not "techie" enough to consider implementation of such a solution, but I thankyou for at least hearing me out.

Thoughts, comments and suggestions are of course welcome.

cheers

Martin Hatch

________________________________

To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

> -----Original Message-----
> From: owner-spf-devel@v2.listbox.com
> [mailto:owner-spf-devel@v2.listbox.com] On Behalf Of Julian Mehnle
> Sent: woensdag 9 maart 2005 19:14
> To: spf-devel@v2.listbox.com
> Subject: RE: [spf-devel] Suggestion - Message Verification
>
>
> The originating server receives this packet header, encrypts it and
> compares it to the values stored in the Log (along with the
> timestamp?). It can then send a simple yes/no acknowledgement to verify
> if that email was actually sent from that server!

I am not sure what you mean, here. Because of IP-spoofing, you mean?
Though theoretically maybe doable, you can, for all purposes and intent,
consider that as good as impossible.

Otherwise, you seem to want to reinvent something like ENVID, right?

- Mark

System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

> -----Original Message-----
> From: owner-spf-devel@v2.listbox.com
> [mailto:owner-spf-devel@v2.listbox.com] On Behalf Of
> roberto@netwide.net
> Sent: woensdag 9 maart 2005 20:32
> To: spf-devel@v2.listbox.com
> Subject: RE: [spf-devel] Suggestion - Message Verification
>
>
> Someone correct me if I'm wrong, but if the sender spoofs the
> real IP address, then the SMTP server will not be able to
> return the proper SMTP codes/results to the sender (it will
> be attempting to send them to the fake IP and will thus
> fail). Without the proper two way communication, the sender
> will never even be able to reach the point to where an email
> can be sent...
>
> Roberto

IP is basically a routing wrapper for layer 4, which contains the
Transmission Control Protocol (TCP). Participants in a TCP session must
first build a connection, via the 3-way handshake (SYN-SYN/ACK-ACK), then
update one another on progress, via sequences and acknowledgements. Within
the established connection, "sequence prediction" is almost impossible. In
the old days, it was relatively easy to discover the exact formula by
studying packets and TCP sessions. Today, most OS-es implement random
sequence number generation, making it extremely difficult to predict them
accurately.

Hence, TCP/IP spoofing, within an established connection, though perhaps
theoretically a possibility, is close to impossible. If it were possible,
do you not think every spammer would use it? Believe me, if spammers had
devised such an apparatus that could successfully spoof established TCP/IP
connections, they would be sitting on something worth a lot more than
their stupid spam!

Also, from the sendmail manual:

Add optional protection from open proxies and SMTP slammers which
send SMTP traffic without waiting for the SMTP greeting.
If enabled by the new ruleset greet_pause (see
FEATURE(`greet_pause')), sendmail will wait the specified
amount of time before sending the initial 220 SMTP
greeting. If any traffic is received before then, a 554
SMTP response is sent and all SMTP commands are rejected
during that connection.

Good luck evading that, too. :)

- Mark

System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

>Also, from the sendmail manual:
>
> Add optional protection from open proxies and SMTP slammers which
> send SMTP traffic without waiting for the SMTP greeting.
> If enabled by the new ruleset greet_pause (see
> FEATURE(`greet_pause')), sendmail will wait the specified
> amount of time before sending the initial 220 SMTP
> greeting. If any traffic is received before then, a 554
> SMTP response is sent and all SMTP commands are rejected
> during that connection.

I enabled this a few weeks ago, and it is tremendously effective.

In sendmail.mc:
FEATURE(access_db)dnl
FEATURE(`greet_pause',5000)

In access:
GreetPause:localhost 0

Highly recommended.
---
Jef

Jef Poskanzer jef@acme.com http://www.acme.com/jef/

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

Question ... at which point does the SPF kick in?

Does it initiate at the first stages of the TCP/IP Handshake? (i.e. does the Email Server check if the email server is verified before or after setting up the TCP/IP handshake?).. (in effect running more of an Access Control List Firewall for email traffic??).

If this happens before, then I agree, IP Spoofing is extremely difficult. But if the SPF is only referred to _after_ an email has been received, then it's not. In such a case, someone would not be intercepting TCP/IP communications, or using an existing SMTP server to send it's mail.

For example:
(1) Two authorised Email Servers Exist with IP Address X and Y respectively.
(2) a spammer builds himself an Email Server (Z). He conditions it to fake the IP Address, so that it appears to have IP Address X.
(3) Spammer Z sends an email from his Email server to Email Server Y.
(4) Y checks the IP Address, compares it to the SPF and confirms that "X" (the IP address that it THINKS was used) is an authorised Email Server.

Would this be accurate ??? Or are there some additional security features that I am not aware of?
Will Y refuse to even receive the email from Z? Does the IP check kick in during the handshake between Y and Z, or afterwards, interrogating the Email Header?

My suggestion was to add an additional 3 steps:

(5) Y sends the first 32-bit header to X, asking X to verify if this email was in fact sent from X.
(6) X receives the packet from Y .. X checks it's log, and sends back confirmation that it was NOT sent from X.
(7) Y realises that this email (which was actually from Spammer Z) is not authorised, and deletes it.




-----Original Message-----
From: owner-spf-devel@v2.listbox.com [mailto:owner-spf-devel@v2.listbox.com] On Behalf Of Mark
Sent: Wednesday, March 09, 2005 8:09 PM
To: spf-devel@v2.listbox.com
Subject: RE: [spf-devel] Suggestion - Message Verification


> -----Original Message-----
> From: owner-spf-devel@v2.listbox.com
> [mailto:owner-spf-devel@v2.listbox.com] On Behalf Of
> roberto@netwide.net
> Sent: woensdag 9 maart 2005 20:32
> To: spf-devel@v2.listbox.com
> Subject: RE: [spf-devel] Suggestion - Message Verification
>
>
> Someone correct me if I'm wrong, but if the sender spoofs the real IP
> address, then the SMTP server will not be able to return the proper
> SMTP codes/results to the sender (it will be attempting to send them
> to the fake IP and will thus fail). Without the proper two way
> communication, the sender will never even be able to reach the point
> to where an email can be sent...
>
> Roberto

IP is basically a routing wrapper for layer 4, which contains the Transmission Control Protocol (TCP). Participants in a TCP session must first build a connection, via the 3-way handshake (SYN-SYN/ACK-ACK), then update one another on progress, via sequences and acknowledgements. Within the established connection, "sequence prediction" is almost impossible. In the old days, it was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, most OS-es implement random sequence number generation, making it extremely difficult to predict them accurately.

Hence, TCP/IP spoofing, within an established connection, though perhaps theoretically a possibility, is close to impossible. If it were possible, do you not think every spammer would use it? Believe me, if spammers had devised such an apparatus that could successfully spoof established TCP/IP connections, they would be sitting on something worth a lot more than their stupid spam!

Also, from the sendmail manual:

Add optional protection from open proxies and SMTP slammers which
send SMTP traffic without waiting for the SMTP greeting.
If enabled by the new ruleset greet_pause (see
FEATURE(`greet_pause')), sendmail will wait the specified
amount of time before sending the initial 220 SMTP
greeting. If any traffic is received before then, a 554
SMTP response is sent and all SMTP commands are rejected
during that connection.

Good luck evading that, too. :)

- Mark

System Administrator Asarian-host.org

---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx

-------
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

I understand the TCP protocol 3-stage handshake (SYN-ACK/SYN-ACK).

SPF works on the basis that an email server will check a list to see if the email server is authorised to send mail. Correct??
The SPF check is based on the <FROM> header in the Email Message Header. Correct??
I assume the list to be checked is in the form of a Domain / IP lookup (which lists authorised IP addresses of email servers for listed domains and sub-domains??)

When an IP Address is checked, is this IP taken from the TCP handshake itself?? or is it interrogated from the email header via a DNS lookup?

Effectively what I want to know (which will answer whether the answer to my previous question makes this rhetoric) is _WHEN_ is the SPF list checked??

Is it DURING the TCP Handshake?

If the answer is YES, then I agree that this makes IP spoofing close to impossible (as all the responding ACK/SYN packets will go to the wrong machine [that is .. the authorised machine from the list])
This presents some interesting options for Reflective DoS attacks, but for this purpose it wouldn't work.

If the answer is NO, then does the IP lookup come from the Email header or a DNS lookup of the email domain?

thanks

Martin


**************** REPLY SEPARATER ****************
You have to understand how TCP works in order to understand why this would not be possible. Unlike UDP (which is essentially one way transmission), TCP requires handshaking. It requires that a connection be established between the 2 ends. Each transmission back and forth must receive an ACK or NAK from the other end. The network path for the outbound packet may not even be the same as the inbound path for the acknowledgement, and if an acknowledgement is not received before the timeout, the connection is broken and must be re-established. Although it is theoretically possible to break into the network path somewhere, intercept these transmissions and substitute your own, in practice it is extremely difficult. You essentially have to have access to both ends; your own and the one you are trying to fake. I have seen many challenges issued to prove that it can be done, but so far none have been answered.

You are welcome to try.

J.A. Coutts


-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

At 09:34 AM 3/12/2005 -0000, you wrote:
>Question ... at which point does the SPF kick in?
>
>Does it initiate at the first stages of the TCP/IP Handshake? (i.e. does
the Email Server check if the email server is verified before or after
setting up the TCP/IP handshake?).. (in effect running more of an Access
Control List Firewall for email traffic??).
>
>If this happens before, then I agree, IP Spoofing is extremely difficult.
But if the SPF is only referred to _after_ an email has been received, then
it's not. In such a case, someone would not be intercepting TCP/IP
communications, or using an existing SMTP server to send it's mail.
>
>For example:
>(1) Two authorised Email Servers Exist with IP Address X and Y respectively.
>(2) a spammer builds himself an Email Server (Z). He conditions it to fake
the IP Address, so that it appears to have IP Address X.
>(3) Spammer Z sends an email from his Email server to Email Server Y.
>(4) Y checks the IP Address, compares it to the SPF and confirms that "X"
(the IP address that it THINKS was used) is an authorised Email Server.
>
>Would this be accurate ??? Or are there some additional security features
that I am not aware of?
>Will Y refuse to even receive the email from Z? Does the IP check kick in
during the handshake between Y and Z, or afterwards, interrogating the
Email Header?
**************** REPLY SEPARATER ****************
You have to understand how TCP works in order to understand why this would
not be possible. Unlike UDP (which is essentially one way transmission),
TCP requires handshaking. It requires that a connection be established
between the 2 ends. Each transmission back and forth must receive an ACK or
NAK from the other end. The network path for the outbound packet may not
even be the same as the inbound path for the acknowledgement, and if an
acknowledgement is not received before the timeout, the connection is
broken and must be re-established. Although it is theoretically possible to
break into the network path somewhere, intercept these transmissions and
substitute your own, in practice it is extremely difficult. You essentially
have to have access to both ends; your own and the one you are trying to
fake. I have seen many challenges issued to prove that it can be done, but
so far none have been answered.

You are welcome to try.

J.A. Coutts

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

On Sat, Mar 12, 2005 at 03:48:16PM -0000, Martin Hatch wrote:
> SPF works on the basis that an email server will check a list to see if the email server is authorised to send mail. Correct??

Yes, with the subtlety that the list is published in DNS on the domain
in the envelope from.

> The SPF check is based on the <FROM> header in the Email Message Header. Correct??
> I assume the list to be checked is in the form of a Domain / IP lookup (which lists authorised IP addresses of email servers for listed domains and sub-domains??)

The spf check is whether the IP of the incoming connection (as reported
by the operating system's TCP stack or whatever means the mailer uses to
determine the IP address of the incoming connection) is indeed allowed
by the list of servers in the SPF record on the domain from the envelope
from. So this is not the From in the email header, it is the envelope
from that is part of the smtp protocol.

> When an IP Address is checked, is this IP taken from the TCP handshake itself?? or is it interrogated from the email header via a DNS lookup?

In sendmail, it is what is reported by the operating system as the ip on the other end of the socket.

> Effectively what I want to know (which will answer whether the answer to my previous question makes this rhetoric) is _WHEN_ is the SPF list checked??
>
> Is it DURING the TCP Handshake?
>
> If the answer is YES, then I agree that this makes IP spoofing close to impossible (as all the responding ACK/SYN packets will go to the wrong machine [that is .. the authorised machine from the list])
> This presents some interesting options for Reflective DoS attacks, but for this purpose it wouldn't work.
>
> If the answer is NO, then does the IP lookup come from the Email header or a DNS lookup of the email domain?

The answer is no, but the question is somewhat flawed. The 'spf list' is
usually checked during the SMTP interaction, so that is after TCP
handshake, but before email headers are available. Checking spf during
TCP/IP handshake is impossible, because without an envelope from (or, in
cases where envelope from is <> the HELO domain) there can be no spf
checking.

The point being, i think, is that if you want to send mail from xyz.com,
but you are not one of the designated senders in the SPF record on
xyz.com, then you'll have to spoof one of the IP's that is allowed by
the SPF record and perform an entire SMTP transaction with that spoofed
ip.

--
K.F.J. Martens, Sonologic, http://www.sonologic.nl/
Networking, hosting, embedded systems, unix, artificial intelligence.
Public PGP key: http://www.metro.cx/pubkey-gmc.asc
Wondering about the funny attachment your mail program
can't read? Visit http://www.openpgp.org/

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

SPF really has nothing to do with TCP handshaking. When a connection is
established with a mail server (random port on sending server to port 25 on
the mail server), the mail server stores the IP/PORT information in
variables. Any subsequent packets received from that IP/PORT combination is
related to that particular established connection. A new connection from
the same IP will use a different port number. The SPF query to the DNS
cannot be initiated until after the MAIL FROM: address has been received in
a subsequent packet. The information returned in the TXT record will be
compared to the IP address stored when the connection was established. This
may require several more trips to the DNS. Each stage of the SMTP
transaction process has to go through the same TCP handshaking, which is
what makes it difficult to fake an IP.

If you have access to a raw packet analyzer, it can be very enlightening.
**************** REPLY SEPARATER ***************
At 03:48 PM 3/12/2005 -0000, you wrote:
>I understand the TCP protocol 3-stage handshake (SYN-ACK/SYN-ACK).
>
>SPF works on the basis that an email server will check a list to see if
the email server is authorised to send mail. Correct??
>The SPF check is based on the <FROM> header in the Email Message Header.
Correct??
>I assume the list to be checked is in the form of a Domain / IP lookup
(which lists authorised IP addresses of email servers for listed domains
and sub-domains??)
>
>When an IP Address is checked, is this IP taken from the TCP handshake
itself?? or is it interrogated from the email header via a DNS lookup?
>
>Effectively what I want to know (which will answer whether the answer to
my previous question makes this rhetoric) is _WHEN_ is the SPF list checked??
>
>Is it DURING the TCP Handshake?
>
>If the answer is YES, then I agree that this makes IP spoofing close to
impossible (as all the responding ACK/SYN packets will go to the wrong
machine [that is .. the authorised machine from the list])
>This presents some interesting options for Reflective DoS attacks, but for
this purpose it wouldn't work.
>
>If the answer is NO, then does the IP lookup come from the Email header or
a DNS lookup of the email domain?
>
>thanks
>
>Martin
>
>
>**************** REPLY SEPARATER ****************
>You have to understand how TCP works in order to understand why this would
not be possible. Unlike UDP (which is essentially one way transmission),
TCP requires handshaking. It requires that a connection be established
between the 2 ends. Each transmission back and forth must receive an ACK or
NAK from the other end. The network path for the outbound packet may not
even be the same as the inbound path for the acknowledgement, and if an
acknowledgement is not received before the timeout, the connection is
broken and must be re-established. Although it is theoretically possible to
break into the network path somewhere, intercept these transmissions and
substitute your own, in practice it is extremely difficult. You essentially
have to have access to both ends; your own and the one you are trying to
fake. I have seen many challenges issued to prove that it can be done, but
so far none have been answered.
>
>You are welcome to try.
>
>J.A. Coutts
>
>
>-------
>To unsubscribe, change your address, or temporarily deactivate your
subscription,
>please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
>
>
>

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com