SPF (Sender Policy Framework)

Transcription

1 SPF (Sender Policy Framework) Harpreet Singh Riat 1

2 Agenda What s SPF? Why is it needed? How does it work? Who uses it? 2

3 Security flaws in SMTP Flaw: SMTP allows any computer to send an claiming to be from anyone Anybody thought about this? MAIL Result of that: Sender Address Forgery Password Phishing Spams and frauds Computer Viruses 3

4 What s SPF? SPF Sender Policy Framework for authorizing use of domains in (originally called Sender Permitted From) Open standard (anyone can use, free of cost) Mechanism to protect the envelope sender address used for the delivery of messages Not an Anti-Spam, but an Anti-Forgery mechanism 4

5 How does it work? (Top View) (Genuine Case) 5

6 How does it work? (Top View) (Forged Case) 6

7 Working (details) Mail Server... asks for SPF record of sender s domain via DNS query during the SMTP dialog. receives and interpret the reply of DNS. checks the header received from the sender against the SPF records for the given domain. Return Path (MAIL FROM identity) mandatory Sender Domain (HELO identity) recommended takes an action depending upon how guided by the software. 7

8 Working (details) DNS... receives request from a mail server. checks for the TXT Records (A Record and/or MX Record) of the requested domain name which were provided by the owner of the domain name. depending upon the record found and the IP address of the sender, it gives one of the following replies: PASS the host is authorised by the domain to send its . FAIL the host is authorised by the domain to send its . SOFTFAIL the domain believes the host isn't authorized but isn't willing to make that strong of a statement. NEUTRAL the domain owner states that they cannot or do not want to assert whether the IP is authorised or not. NONE no SPF record or no checkable sender s domain found. TEMPERROR a transient error occurred while verifying the SPF record. PERMERROR the SPF record could not be correctly interpreted. 8

9 Implementation Publishing a policy Simple TXT Record Typical DNS Syntax v=spf1 *([qualifier][mechanism]) Qualifiers + Pass - Fail? Neutral ~ Softfail Mechanism ALL A IP4 IP6 MX PTR EXISTS INCLUDE Match always Match if sender IP address is matching with the given A record Match if matching with specified IPv4 address Match if matching with specified IPv6 address Match if matching with given MX record Match if both forward and backward DNS records match Match if the specified domain exists Include some other policy 9

10 Implementation Example bath.ac.uk text "v=spf1 a:webmail.bath.ac.uk ip4: ip4: mx:mail.bath.ac.uk a:proxy.bath.ac.uk -all This policy will: PASS mails from webmail.bath.ac.uk mail.bath.ac.uk proxy.bath.ac.uk FAIL for all the sender other than the above givens. 10

11 Header at receiver's end From Fri Oct 3 02:47: Return-Path: <root@wcn.co.uk> Authentication-Results: mta315.mail.mud.yahoo.com from=wcn.co.uk; domainkeys=neutral (no sig) Received: from (HELO web.wcn.co.uk) ( ) by mta315.mail.mud.yahoo.com with SMTP; Fri, 03 Oct :47: Received: by web.wcn.co.uk (Postfix, from userid 0) id EAF1F8F5C4; Fri, 3 Oct :47: (BST) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_ =_ " Date: Fri, 3 Oct :47: From: marksandspencersupport@wcn.co.uk To: hsriat@yahoo.com Subject: Marks & Spencer Stores e-recruitment Message-Id: < EAF1F8F5C4@web.wcn.co.uk> Content-Transfer-Encoding: 7bit Content-Length:

12 Summary SPF? Facilitates mail servers to determine whether a connecting host is authorised to speak on behalf of a given domain. Requires implementation on both sending and receiving sides to be fully usable, but nothing is broken if either is missing. Uses DNS, working transparently over SMTP Who uses it? Most of the Anti-spam software support SPF Many MTAs use SPF to prevent sender identity forgery Most of the free providers and ISPs use SPF 12

13 Resources SPF official website: Wikipedia: en.wikipedia.org/wiki/sender_policy_framework RFC4408: tools.ietf.org/html/rfc

14 Thank You 14