On Mar 12, 2024, at 9:05 AM, Dotzero <dotz...@gmail.com> wrote:
Neil, SPF essentially deals with hosts and IP address ranges. Your suggested solution does not address the main problem(s) raised in the research.
One approach that potentially addresses the SPF problem of shared hosting would be for ESPs to use IPv6 address space for sending. Each customer can then be assigned unique IP addresses. An approach like this causes other potential operational problems, for example infrequent senders (think of a monthly newsletter sent at the beginning of each month). The issues presented by Chuhan Wang have actually been known and understood for quite sometime even if not well documented for a wider audience.
I do agree that the title is misleading.
Michael Hammer
I like the IPv6 idea in principle but would the MBP’s adjust as small businesses can’t operate optimally with a sender reputation that’s like the sound of one hand clapping.
I think SPF isn’t the problem, it’s the overloading of includes, lax vendor security in many cases, often overloading the org domain with a few includes that are cringeworthy in their permissiveness. If there were incentives to solve this problem the ESPs would be on it. Unfortunately, security breaches tend to act as externalities not proving a direct incentive for ESP’s and others to make mitigating this issue a priority. That said, a smart sender can avoid spf problems with planning and situational awareness.
I don’t blame the spf protocol I blame the pushing the envelope until threat actors started writing thank you notes.
The solution to that vulnerability is in part use a subdomain and, when possible, narrow the scope of what you permit. Better yet, choose a vendor that’s known for tight security. A quick Look at the the security headlines will show you some vendor red flags. But the sad state of spf is a misleading title at best, Hi Everyone, I am Chuhan Wang from Tsinghua University, the author of paper BreakSPF: How Shared Infrastructures Magnify SPF Vulnerabilities Across the Internet. Thanks Barry for sharing our paper presented at NDSS regarding the vulnerabilities of SPF in this work group. I'm glad to see that our research on BreakSPF is being discussed in the IETF work group. It's encouraging to know that our work is contributing to important conversations about email security. I am willing to discuss any questions or concerns that may arise from our paper. Please feel free to reach out to me, and I'll be more than happy to discuss our findings and insights with the group. Chuhan Wang Tsinghua University
Begin forwarded message:
Subject: [dmarc-ietf] The sad state of SPF: research just presented at NDSS
Date: February 28, 2024 at 17:33:41 CST
A paper was presented this morning at NDSS about the state of SPF, which is worth a read by this group:
B
|
