Re: [mailop] gmail rejecting for invalid SPF/DKIM when there isn't any?

[Jarland Donnell via mailop]

It was purely observational, I thought others had already noticed it. It 
consumed a lot of support time on our side. Maybe I'll try to pull the 
data to get a better idea of how it looked by the numbers.


On 2022-08-27 22:28, Darrell Budic via mailop wrote:

Was there any published notification about this? Not that there’s a
good place for it, but between mailop and nanog, I’d have thought I’d
have seen it…

At any rate, this error message seems like it would be better as
“Gmail now requires senders to have SPF and/or DKIM enabled to send
mail to Gmail” instead of saying it failed checks. Less misleading
that way, and I’m not saying to my customer “I don’t know why it says
that, you don’t seem to have SPF setup…”

I mean, yay for more correct SPF, but boo for bad error messages.

On Aug 27, 2022, at 5:28 PM, Jarland Donnell via mailop 
 wrote:


Google has recent started requiring SPF. I don't know if they require 
it 100% of the time but they do now reject emails from domains that 
either don't have it, or have it improperly configured, and they won't 
accept it from those domains until it's fixed. It has helped me a good 
bit, making it easier to identify my customers that are violating my 
policy and sending without valid SPF.


At least, by this point, we should be able to say that everyone has 
had an opportunity to at least adopt SPF. Anyone who doesn't, by now, 
generally doesn't care about their delivery quality.


On 2022-08-27 17:09, Darrell Budic via mailop wrote:

Anyone else seeing this? Customer of mine just got some bounces from
gmail for invalid SPF/DKIM. He doesn’t have either, so I’m not
sure what this is about?
Mind you, I did send him to setup a valid SPF entry, and
authentication is good, but this seems like a misleading error
message...

The mail system
<@gmail.com>: host gmail-smtp-in.l.google.com
[1][142.251.4.27] said:
550-5.7.26 This message does not pass authentication checks (SPF
and DKIM
both 550-5.7.26 do not pass). SPF check for [musichael.com [2]]
does not pass
with ip: 550-5.7.26 [204.130.133.20].To best protect our users
from spam,
the message 550-5.7.26 has been blocked. Please visit 550-5.7.26
https://support.google.com/mail/answer/81126#authentication for
more 550
5.7.26 information.
b185-20020a2567c200b006953ea7fad6si1842767ybc.571 -
gsmtp (in reply to end of DATA command)
Reporting-MTA: dns; smtp.ohgnetworks.com [3]
X-Postfix-Queue-ID: 358D21F4D4
X-Postfix-Sender: rfc822; mich...@musichael.com
Arrival-Date: Sat, 27 Aug 2022 13:10:52 + (UTC)

Links:
--
[1] http://gmail-smtp-in.l.google.com
[2] http://musichael.com
[3] http://smtp.ohgnetworks.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail rejecting for invalid SPF/DKIM when there isn't any?

[Darrell Budic via mailop]

Was there any published notification about this? Not that there’s a good place 
for it, but between mailop and nanog, I’d have thought I’d have seen it…

At any rate, this error message seems like it would be better as “Gmail now 
requires senders to have SPF and/or DKIM enabled to send mail to Gmail” instead 
of saying it failed checks. Less misleading that way, and I’m not saying to my 
customer “I don’t know why it says that, you don’t seem to have SPF setup…”

I mean, yay for more correct SPF, but boo for bad error messages.

> On Aug 27, 2022, at 5:28 PM, Jarland Donnell via mailop  
> wrote:
> 
> Google has recent started requiring SPF. I don't know if they require it 100% 
> of the time but they do now reject emails from domains that either don't have 
> it, or have it improperly configured, and they won't accept it from those 
> domains until it's fixed. It has helped me a good bit, making it easier to 
> identify my customers that are violating my policy and sending without valid 
> SPF.
> 
> At least, by this point, we should be able to say that everyone has had an 
> opportunity to at least adopt SPF. Anyone who doesn't, by now, generally 
> doesn't care about their delivery quality.
> 
> On 2022-08-27 17:09, Darrell Budic via mailop wrote:
>> Anyone else seeing this? Customer of mine just got some bounces from
>> gmail for invalid SPF/DKIM. He doesn’t have either, so I’m not
>> sure what this is about?
>> Mind you, I did send him to setup a valid SPF entry, and
>> authentication is good, but this seems like a misleading error
>> message...
>>> The mail system
>>> <@gmail.com>: host gmail-smtp-in.l.google.com
>>> [1][142.251.4.27] said:
>>> 550-5.7.26 This message does not pass authentication checks (SPF
>>> and DKIM
>>> both 550-5.7.26 do not pass). SPF check for [musichael.com [2]]
>>> does not pass
>>> with ip: 550-5.7.26 [204.130.133.20].To best protect our users
>>> from spam,
>>> the message 550-5.7.26 has been blocked. Please visit 550-5.7.26
>>> https://support.google.com/mail/answer/81126#authentication for
>>> more 550
>>> 5.7.26 information.
>>> b185-20020a2567c200b006953ea7fad6si1842767ybc.571 -
>>> gsmtp (in reply to end of DATA command)
>>> Reporting-MTA: dns; smtp.ohgnetworks.com [3]
>>> X-Postfix-Queue-ID: 358D21F4D4
>>> X-Postfix-Sender: rfc822; mich...@musichael.com
>>> Arrival-Date: Sat, 27 Aug 2022 13:10:52 + (UTC)
>> Links:
>> --
>> [1] http://gmail-smtp-in.l.google.com
>> [2] http://musichael.com
>> [3] http://smtp.ohgnetworks.com
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://list.mailop.org/listinfo/mailop
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail rejecting for invalid SPF/DKIM when there isn't any?

[Darrell Budic via mailop]

It was just added about the time I was sending that email, so it wasn’t there 
when my customer got the bounces. I imagine you are seeing caching and it 
should be solid soon.

> On Aug 27, 2022, at 6:04 PM, Ángel via mailop  wrote:
> 
> On 2022-08-27 at 17:09 -0500, Darrell Budic wrote:
>> Anyone else seeing this? Customer of mine just got some bounces from
>> gmail for invalid SPF/DKIM. He doesn’t have either, so I’m not sure
>> what this is about?
>> 
>> Mind you, I did send him to setup a valid SPF entry, and
>> authentication is good, but this seems like a misleading error
>> message...
> 
> When querying the SPF record, I only get it about 50% of times:
> 
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 637
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1460
> ;; QUESTION SECTION:
> ;musichael.com.   IN  TXT
> 
> ;; ANSWER SECTION:
> musichael.com.3600IN  TXT "v=spf1 
> ip4:204.130.133.0/26 -all"
> 
> vs
> 
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3637
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;musichael.com.   IN  TXT
> 
> ;; AUTHORITY SECTION:
> musichael.com.600 IN  SOA 
> ns1.yourhostingaccount.com. admin.yourhostingaccount.com. 2012080973 10800 
> 3600 604800 3600
> 
> 
> I'm not sure what's going on, since I get the record both from
> ns1.mydomain.com and ns2.mydomain.com when pointing directly to them, It 
> could be some dns caching somewhere.
> 
> But there are definitely some shenanigans going on with your SPF
> record, it's not Google.
> 
> 
> 
> Regards
> 
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] facebook, help?

[Dave Lugo via mailop]

Also ensure their passwords are all unique, this sounds like a password reuse 
hack. Also, does their cell number still make and receive calls and texts, and 
have you checked with

On Sun, 28 Aug 2022, Chris Woods wrote:


Chances are the SMS was the first thing changed to prevent you regaining access 
that way. There is a specific process Facebook now offers to regain account 
access, try it:

https://www.facebook.com/hacked

https://www.facebook.com/help/203305893040179


We've been there, a few times.

We came across something that claimed the "your email account has changed" 
notification has a link to reverse the account change.   IT LIES!  There 
is no such link.  Else she would have clicked it, reversed the change, and

we'd not be here now...



When you eventually regain access, enable TOTP 2FA (I recommend Authy 
with the cloud backup feature enabled), instructions at

 https://www.facebook.com/help/358336074294704 . 


She claims she has 2fa setup on the account.  Yet the attacker was able to 
change the email address with no confirmation by SMS??



Also ensure their passwords are all unique, this sounds like a password 
reuse hack. Also, does their cell number still make and receive calls 
and texts, and have you checked with


can still do sms/calls - just nothing from FB.  And we know her real phone 
# is still associated with the account - when she tries to login with the

phone #, she's offered the SM option which never actually arrives...



the carrier that there's no additional lines on the plan? Occasionally 
it has been known for hackers to engineer a SIM swap or second line on 
an account. 




There are addiational lines on the plan, her kids and mom.

She's in tears.  She has ~15 years of kid pics, memorories, all lost...

Really FB?  There's no way for her to call someone to get this fixed?

There HAS to be a way to get this fixed.  Holding her drivers license up 
to a webcam, sending a notarized statement, _something_




--

Dave Lugo   dl...@etherboy.comLC Unit #260   TINLC
Have you hugged your firewall today?   No spam, thanks.

Are you the police?  . . . .  No ma'am, we're sysadmins.___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] facebook, help?

[Chris Woods via mailop]

On Sun, 28 Aug 2022, 00:25 Dave Lugo via mailop,  wrote:

> My fiance's FB account was hijacked by a bad actor today.   The bad actor
> changed the email address on the account, and despite multiple attempts to
> recover the account using SMS, the SMS texts don't arrive (dunno if
> her carrier verizon is having SMS issues or not)
>
> Can anyone from FB please, please help?   She did get the "your email
> address has changed" notice from facebook, so we know the bad actor's
> email address, but I don't think that's very helpful at the moment, at
> least with the resolution paths we have, which aren't reallly resolving
> things...
>
> I can be reached via email here, or text at 484-682-5201.
>
> Thanks,
>
> Dave
>


Chances are the SMS was the first thing changed to prevent you regaining
access that way. There is a specific process Facebook now offers to regain
account access, try it:

https://www.facebook.com/hacked

https://www.facebook.com/help/203305893040179

When you eventually regain access, enable TOTP 2FA (I recommend Authy with
the cloud backup feature enabled), instructions at
https://www.facebook.com/help/358336074294704 .

Also ensure their passwords are all unique, this sounds like a password
reuse hack. Also, does their cell number still make and receive calls and
texts, and have you checked with the carrier that there's no additional
lines on the plan? Occasionally it has been known for hackers to engineer a
SIM swap or second line on an account.

Best of luck...

>
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] facebook, help?

[Dave Lugo via mailop]

My fiance's FB account was hijacked by a bad actor today.   The bad actor
changed the email address on the account, and despite multiple attempts to
recover the account using SMS, the SMS texts don't arrive (dunno if 
her carrier verizon is having SMS issues or not)


Can anyone from FB please, please help?   She did get the "your email 
address has changed" notice from facebook, so we know the bad actor's

email address, but I don't think that's very helpful at the moment, at
least with the resolution paths we have, which aren't reallly resolving
things...

I can be reached via email here, or text at 484-682-5201.

Thanks,

Dave

--

Dave Lugo   dl...@etherboy.comLC Unit #260   TINLC
Have you hugged your firewall today?   No spam, thanks.

Are you the police?  . . . .  No ma'am, we're sysadmins.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail rejecting for invalid SPF/DKIM when there isn't any?

[Ángel via mailop]

On 2022-08-27 at 17:09 -0500, Darrell Budic wrote:
> Anyone else seeing this? Customer of mine just got some bounces from
> gmail for invalid SPF/DKIM. He doesn’t have either, so I’m not sure
> what this is about?
> 
> Mind you, I did send him to setup a valid SPF entry, and
> authentication is good, but this seems like a misleading error
> message...

When querying the SPF record, I only get it about 50% of times:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 637
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1460
;; QUESTION SECTION:
;musichael.com. IN  TXT

;; ANSWER SECTION:
musichael.com.  3600IN  TXT "v=spf1 ip4:204.130.133.0/26 
-all"

vs

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3637
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;musichael.com. IN  TXT

;; AUTHORITY SECTION:
musichael.com.  600 IN  SOA ns1.yourhostingaccount.com. 
admin.yourhostingaccount.com. 2012080973 10800 3600 604800 3600


I'm not sure what's going on, since I get the record both from
ns1.mydomain.com and ns2.mydomain.com when pointing directly to them, It could 
be some dns caching somewhere.

But there are definitely some shenanigans going on with your SPF
record, it's not Google.



Regards


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] gmail rejecting for invalid SPF/DKIM when there isn't any?

[Jarland Donnell via mailop]

Google has recent started requiring SPF. I don't know if they require it 
100% of the time but they do now reject emails from domains that either 
don't have it, or have it improperly configured, and they won't accept 
it from those domains until it's fixed. It has helped me a good bit, 
making it easier to identify my customers that are violating my policy 
and sending without valid SPF.


At least, by this point, we should be able to say that everyone has had 
an opportunity to at least adopt SPF. Anyone who doesn't, by now, 
generally doesn't care about their delivery quality.


On 2022-08-27 17:09, Darrell Budic via mailop wrote:

Anyone else seeing this? Customer of mine just got some bounces from
gmail for invalid SPF/DKIM. He doesn’t have either, so I’m not
sure what this is about?

Mind you, I did send him to setup a valid SPF entry, and
authentication is good, but this seems like a misleading error
message...


The mail system

<@gmail.com>: host gmail-smtp-in.l.google.com
[1][142.251.4.27] said:
550-5.7.26 This message does not pass authentication checks (SPF
and DKIM
both 550-5.7.26 do not pass). SPF check for [musichael.com [2]]
does not pass
with ip: 550-5.7.26 [204.130.133.20].To best protect our users
from spam,
the message 550-5.7.26 has been blocked. Please visit 550-5.7.26
https://support.google.com/mail/answer/81126#authentication for
more 550
5.7.26 information.
b185-20020a2567c200b006953ea7fad6si1842767ybc.571 -
gsmtp (in reply to end of DATA command)
Reporting-MTA: dns; smtp.ohgnetworks.com [3]
X-Postfix-Queue-ID: 358D21F4D4
X-Postfix-Sender: rfc822; mich...@musichael.com
Arrival-Date: Sat, 27 Aug 2022 13:10:52 + (UTC)



Links:
--
[1] http://gmail-smtp-in.l.google.com
[2] http://musichael.com
[3] http://smtp.ohgnetworks.com
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] gmail rejecting for invalid SPF/DKIM when there isn't any?

[Darrell Budic via mailop]

Anyone else seeing this? Customer of mine just got some bounces from gmail for 
invalid SPF/DKIM. He doesn’t have either, so I’m not sure what this is about?

Mind you, I did send him to setup a valid SPF entry, and authentication is 
good, but this seems like a misleading error message...

> 
>   The mail system
> 
> <@gmail.com >: host 
> gmail-smtp-in.l.google.com [142.251.4.27] 
> said:
>550-5.7.26 This message does not pass authentication checks (SPF and DKIM
>both 550-5.7.26 do not pass). SPF check for [musichael.com 
> ] does not pass
>with ip: 550-5.7.26 [204.130.133.20].To best protect our users from spam,
>the message 550-5.7.26 has been blocked. Please visit 550-5.7.26
>https://support.google.com/mail/answer/81126#authentication 
>  for more 550
>5.7.26 information. b185-20020a2567c200b006953ea7fad6si1842767ybc.571 -
>gsmtp (in reply to end of DATA command)
> Reporting-MTA: dns; smtp.ohgnetworks.com 
> X-Postfix-Queue-ID: 358D21F4D4
> X-Postfix-Sender: rfc822; mich...@musichael.com 
> Arrival-Date: Sat, 27 Aug 2022 13:10:52 + (UTC)
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Research project on SPF validation: Is your server violating RFC standards for SPF resolution?

[Tobias Fiebig via mailop]

Hello John,
> If it's opt-in, please identify all of the IPs that send mail or DNS or web 
> queries so those of us who have not opted in can block them.
I just started going through the setup built at VT and found several points 
where there will have to be some serious re-design of several components. As 
soon as that is done, we will:

a) Post a list of all components on the website, indicating what exactly can be 
blocked to make sure to not receive any unwanted packets from us.
b) Provide that list of addresses and domains to mailop@ before setting the 
service available again.
c) Provide an additional form to submit address ranges for exclusion from the 
study on the website.
d) Implement the opt-in mechanism outlined in my previous reply to Bill.

If you see anything else we could do to make this safer, please let me know.

With best regards,
Tobias 

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Research project on SPF validation: Is your server violating RFC standards for SPF resolution?

[Tobias Fiebig via mailop]

Hello Bill,
> I refuse to participate in your research, as all evidence I have is that VT 
> is grossly unethical and allows incompetents to run research projects.
I hear your frustration with this, and will not defend the measurements that 
took place in February. As outlined below, we will work on limiting our 
measurements to people that clearly opted in, and would appreciate feedback on 
that.

> So, are you REALLY opt-in? Holw do  you authenticate that? Trusting what a 
> stranger types on a web page?
> 
> That would be yet another abusive and incompoetent study design.
Only trusting the address entered would be single-opt-in, and--as you 
note--insufficient.

Instead, my current plan would be the following:
- Enter email on website; 
- Receive a results URL with a random identifier
- On that page, be requested to send an email from the entered email to 
'opt-in@...'; Should be a) SPF compliant and b) Validly DKIM signed.
- If an authenticated mail is received, we send a measurement email in reply 
and start to display the results
- If an insufficiently authenticated mail is received we only display 'An 
opt-in message was received but failed SPF/DKIM/both authentication.' on the 
page without sending an email. 

The main issue I see with that design atm is that it allows any user behind an 
MTA to opt-in the whole setup; What might make more sense is restricting this 
to selected from addresses (postmaster@?). I would appreciate opinions on this.

With best regards,
Tobias

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Research project on SPF validation: Is your server violating RFC standards for SPF resolution?

[John Levine via mailop]

It appears that Tobias Fiebig via mailop  said:
>Heho,
>Thank you all for your feedback, and especially to Simon for pointing out the 
>issue in February. This should, of
>course, not happen, and is part of the reason why we are moving this to strict 
>opt-in measurements. 

If it's opt-in, please identify all of the IPs that send mail or DNS
or web queries so those of us who have not opted in can block them.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Research project on SPF validation: Is your server violating RFC standards for SPF resolution?

[Bill Cole via mailop]

On 2022-08-27 at 14:07:50 UTC-0400 (Sat, 27 Aug 2022 20:07:50 +0200)
Tobias Fiebig via mailop 
is rumored to have said:


Heho,
Thank you all for your feedback, and especially to Simon for pointing 
out the issue in February. This should, of course, not happen, and is 
part of the reason why we are moving this to strict opt-in 
measurements.


I refuse to participate in your research, as all evidence I have is that 
VT is grossly unethical and allows incompetents to run research 
projects.


So, are you REALLY opt-in? Holw do  you authenticate that? Trusting what 
a stranger types on a web page?


That would be yet another abusive and incompoetent study design.

I discussed your points with the project lead (Taejoong “tijay” 
Chung ), who asked me to share his message below with 
the list.


With best regards,
Tobias

Dear Simon Arlott and community members,

This is Tijay Chung (Virginia Tech), who is the principal investigator 
in this project.


You should have been removed from all research 6 months ago, as you have 
shown a propensity for abusive study design. Your involvement makes your 
students less trustworthy.


Your apology and absurd excuses are not accepted.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Research project on SPF validation: Is your server violating RFC standards for SPF resolution?

[Tobias Fiebig via mailop]

Heho,
Thank you all for your feedback, and especially to Simon for pointing out the 
issue in February. This should, of course, not happen, and is part of the 
reason why we are moving this to strict opt-in measurements. I discussed your 
points with the project lead (Taejoong “tijay” Chung ), who asked 
me to share his message below with the list.

With best regards,
Tobias

Dear Simon Arlott and community members, 

This is Tijay Chung (Virginia Tech), who is the principal investigator in this 
project. Since my list registration request has not been processed yet, I've 
asked my colleague, Tobias–who joined the team for this project as a 
collaborator in June-to share this post.

First of all, I would like to thank you all for your feedback. We certainly did 
not apply proper care in executing this project, and will make sure that our 
future actions are not as intrusive as our past measurements. Furthermore, we 
do agree that the RFC should be amended; After all, part of our research 
question is finding out what a reasonable limit and recommendation would be.

Also, I want to sincerely apologize for the incident that happened in February. 
Back then, we sent out emails for randomly chosen domains with the description 
of who we are and why we are doing this, and the link for the webpage for 
further details (the email that Simon attached; And we–by now–understood that 
this is not the right way of measuring such an issue.). In the excitement of 
kicking of this project, we missed a flaw in our implementation. We had planned 
to limit the number of maximum SPF queries to around 300, but our 
implementation of the algorithm that generates SPF recursion trees kept 
creating more nodes.

Thankfully, some email administrators reported this flaw. As soon as we 
received the reports, we immediately shut it down and applied a patch ensuring 
we only serve 300 SPF records per mail at most. We now understand that we 
should have applied more care in setting up our measurement infrastructure, and 
should have followed a voluntary participation approach properly informing 
participants about the risks of the experiments as we now try to do with the 
self-measurement website. Furthermore, we also shifted towards a structured 
analysis of various SMTP server and SPF plugin/SPAM filter combinations to get 
a less intrusive picture of the problem space. Similarly, we are using passive 
DNS data to get a better picture of the practical needs in terms of the number 
of DNS lookups needed for SPF used in production. Of course we will share these 
results with the community as soon as we have compiled a report.

Regarding the website, we have received valuable feedback such as adding a 
functionality for participants to keep track of their SPF requests history, and 
providing a form of double-opt-in to ensure people actually control the email 
addresses requesting a test-mail. We are shutting the website down for a moment 
to implement them.

I would like to apologize again for what happened and thank you so much for the 
valuable feedback.

Sincerely, 
Taejoong “Tijay” Chung.

___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] Research project on SPF validation: Is your server violating RFC standards for SPF resolution?

[Simon Arlott via mailop]

On 25/08/2022 11:39, Tobias Fiebig via mailop wrote:
> An attacker may use an infinite number of SPF referrals in their SPF setting 
> and can send an email to a vulnerable mail server which would make the SMTP 
> server make a whole lot of DNS queries. By exploiting this vulnerability, an 
> attacker can block the SMTP queue of the server, flood the associated 
> recursive resolver, or any DNS authoritative server.

That requires a broken implementation for SPF lookups that has no limit.

You are yet another unethical research project that has been actively
attacking people running such broken implementations:

https://forum.iredmail.org/topic18756-iredapd-is-killed-by-spam-i-have-to-restart-every-few-hours.html


Increasing the limit only increases the number of potential DNS queries
from a single email, assuming no minimum cache time on the resolver. The
RFC needs to be updated to match the reality that a lot of email
services for the same domain are outsourced to multiple entities and so
there will be a lot of "include:" DNS queries.


I blocked your domain "net-measurement.org" back in February when you
sent an unsolicited message to one of my servers:

 Forwarded Message 
Subject:Measuring and understanding the behavior of SPF record lookup
Date:   Tue, 15 Feb 2022 17:49:20 +0600 (+06)
From:   Ubuntu 
To: admin@[redacted], abuse@[redacted], postmaster@[redacted]

Hi,
We are a security team at Virginia Tech and we are currently measuring how SPF 
records are being looked up on your end. This is a one-time email and you will 
not receive any further emails from our end. If you do receive more than one 
email from us, please copy and paste the following link on your browser and 
contact us at the given email addresses. We do apologize for this matter and 
thank you for your understanding.

https://vtnetsec.notion.site/Measuring-and-understanding-the-behavior-of-SPF-records-look-up-in-SMTP-servers-4b95e74c017048e781a575eab03b405c
 

Please do not reply to this email, it is not monitored. If you'd like to 
contact us, please visit the given link above.

-- 
Simon Arlott
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop