On Sat, Aug 5, 2023 at 1:01 PM John Levine <jo...@taugh.com> wrote:
> It appears that Tim Wicinski <tjw.i...@gmail.com> said: > >A malicious sender needs two properties to perform such a SPF upgrade > >attack: > > > > 1) a receiver that will forward quarantined messages, and > > do so without changing the bounce address. Solution: Don't Do That. > That's a confounding issue but not the root problem I think. Even if Microsoft were to implement keeping the bounce address, it just means that the spammer has to start with the spoofed return-path address on their initial send. Yes, that fails SPF authentication but it is ignored for whatever reason and then forwarded. And it's this forwarding despite the initial failing authentication that I think is the root of the problem. Besides, the spammers frequently change tactics. Just yesterday I saw a spam message where the return address is empty, though granted it's not DMARC aligned. > >> Finally, I don't think this is particularly unique to SPF. If you > replace > >> "finds a SPF policy that covers the forwarding IPs" with something like > >> finds a third party willing to sign the message, I expect I could > construct > >> a similar (if not quite as easy) DKIM based scenario. > > No, then it has the forwarding party's signature which isn't aligned with > the From header. > A spammer could write a From header in anticipation of adding a forwarder's DKIM signature. This already happens with the SPF upgrade scenario. -Wei
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
