Discussion:
The open relay "problem" is not a problem
s***@anarres.org
2004-02-23 10:45:15 UTC
Permalink
It is possible for any host on the internet to send an SRS1 mail to an SRS
compliant host. That SRS compliant host will rewrite it unconditionally to
an SRS0 address and forward it to what is assumed to be another SRS
compliant host. I would argue the thesis that this is not a significant
vulnerability.

1) This does not create an "open relay".

An open relay is a host which will send mail on request to a specified
destination address. The SRS1 mechanism will only send mail to addresses
starting with "SRS0". These claims of "open channel into the mailer" are
amusing, but technically impossible and socially infeasible.

2) The generated SRS0 address will be invalid.

The final destination host is either SRS compliant, in which case the hash
will be invalid, or it is not, in which case it is highly unlikely that an
address 'srs0' will exist. If the final host has a catchall, then it is
expecting junkmail anyway.

3) This work is of no value to the spammer, and will therefore never be
done.

The spammer gains no information from performing this attack. It wastes
his bandwidth and resources, and there isn't even the slimmest chance of a
return.

4) This is of little use to DoS k1dd13s.

This is just like sending ping packets with a faked source address. These
cannot be detected either. There is no packet or mail multiplier here.
This takes as much of the k1dd13's bandwidth as of the victim's. And
anyway, the k1dd13s have bigger and better toys and easier ways to
"remove" hosts from the internet.

I feel like I'm playing a circular game of 20 questions.

"Is it square?"
"No, it isn't square."
"Then it must be round!"
"No, it isn't round."
"Then it's square."
"No, it still isn't square."

This mail is an attempt to explain that it isn't square or round. No doubt
I've missed triangular somewhere above, but I am doing my best. I will
include this explanation in my SRS paper when I get time to rewrite it.

I hereby leave certain parties to their shouting match. Again, I recommend
the publication of a web page containing a clear and concise explanation
of what is possible (a little), why it would be done (it wouldn't), and
who would do it (anyone who wins by doing it, i.e. no-one).

S.
--
Shevek http://www.anarres.org/
I am the Borg. http://www.gothnicity.org/

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
wayne
2004-02-23 20:19:02 UTC
Permalink
Post by s***@anarres.org
compliant host. I would argue the thesis that this is not a significant
vulnerability.
I disagree.
Post by s***@anarres.org
1) This does not create an "open relay".
An open relay is a host which will send mail on request to a specified
destination address. The SRS1 mechanism will only send mail to addresses
starting with "SRS0". These claims of "open channel into the mailer" are
amusing, but technically impossible and socially infeasible.
With catch-all accounts, it makes no difference that all of these
emails get sent to addresses starting with "SRS0". While I think that
having catch-all accounts is A Bad Idea, there are a lot of them out
there and I don't think they are going to go away any time soon.

So, while SRS doesn't create a completely open relay, it is open
enough to cause problems. If foo.com is using SRS, they can be abused
to the point that Foo.com's ISP can likely shut them down for
violating their ISP's TOS/AUP.

This is a serious problem.
Post by s***@anarres.org
2) The generated SRS0 address will be invalid.
[...] If the final host has a catchall, then it is
expecting junkmail anyway.
No, catch-all accounts do not expect junkmail any more than any other
email account does. You can not decide this issue. It is the domain
owner's decision to have a catchall account and if MTAs that use SRS
relay spam to it, then the SRS using MTAs must be shut down.
Post by s***@anarres.org
3) This work is of no value to the spammer, and will therefore never be
done.
The spammer gains no information from performing this attack. It wastes
his bandwidth and resources, and there isn't even the slimmest chance of a
return.
The spammer gains a "clean" IP address. This is *very* important to
spammers. You bet spammers will try to abuse SRS to relay spam.
Post by s***@anarres.org
I hereby leave certain parties to their shouting match. Again, I recommend
the publication of a web page containing a clear and concise explanation
of what is possible (a little), why it would be done (it wouldn't), and
who would do it (anyone who wins by doing it, i.e. no-one).
I'm afraid that SRS, as you have proposed it, is broken. I could not
recommend anyone using it as is. Sorry. A security problem has been
pointed out, and you are ignoring it.


-wyne

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
David Woodhouse
2004-02-25 16:12:46 UTC
Permalink
Post by s***@anarres.org
It is possible for any host on the internet to send an SRS1 mail to an SRS
compliant host. That SRS compliant host will rewrite it unconditionally to
an SRS0 address and forward it to what is assumed to be another SRS
compliant host. I would argue the thesis that this is not a significant
vulnerability.
1) This does not create an "open relay".
My ISP disagrees, and tells me they would consider this to be an open
relay; and hence in violation of their Acceptable Use Policy.

You may think otherwise, but they get the casting vote, because they are
the ones who will pull the plug on me if I implement your scheme.

Sorry.
--
dwmw2

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
James Couzens
2004-02-27 17:15:27 UTC
Permalink
Post by David Woodhouse
My ISP disagrees, and tells me they would consider this to be an open
relay; and hence in violation of their Acceptable Use Policy.
You may think otherwise, but they get the casting vote, because they are
the ones who will pull the plug on me if I implement your scheme.
If your ISP disagrees then there are one of two possible problems.

#1 - They don't understand (DING DING DING)
#2 - They are complete asshats, find a new ISP! :-)

Perhaps send them towards the list or have them email one of the
developers directly if thats what it takes. Sounds like #1.

Cheers,

James
--
James Couzens,
Programmer
-----------------------------------------------------------------
http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scheme library
-----------------------------------------------------------------
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBD3BF855

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
David Woodhouse
2004-02-27 17:32:54 UTC
Permalink
Post by James Couzens
If your ISP disagrees then there are one of two possible problems.
#1 - They don't understand (DING DING DING)
#2 - They are complete asshats, find a new ISP! :-)
I'm not entirely sure why anybody would equip a donkey with a hat, but I
believe the answer to be:

#3. They are correct. It would be a partially open relay.
Post by James Couzens
Perhaps send them towards the list or have them email one of the
developers directly if thats what it takes. Sounds like #1.
No, they appear to understand the implications fully. I strongly suspect
other ISPs will take a similar line. Why not ask your own?
--
dwmw2

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
James Couzens
2004-02-27 18:28:43 UTC
Permalink
Post by David Woodhouse
I'm not entirely sure why anybody would equip a donkey with a hat, but I
Be sure you can take what you are serving for dinner David.
Post by David Woodhouse
#3. They are correct. It would be a partially open relay.
Try to step out of the box with me if you will, and I encourage your ISP
to follow suit. As was clearly illustrated, its NOT a concern. Why
would someone waste time and money, to spam SRS1 addresses with the
knowledge that they will be unconditionally rewritten as SRS0 and then
forwarded to their destination, only to be ___REJECTED___ (DING DING
DING KEY POINT HERE).

Pretend you are a spammer, why would you intentionally waste your time
sending your emails effectively to /dev/null ?
Post by David Woodhouse
No, they appear to understand the implications fully. I strongly suspect
other ISPs will take a similar line. Why not ask your own?
I don't think they are seeing the bigger picture here. I have worked
previously for an ISP, and starting Monday I start work at a
significantly sized cable ISP who previous to my employment grasped the
implications without complaint. Objections were raised and logically,
and reasonably answered.

Your ISP either doesn't get it, is too lazy to bother to understand, a
BOFH and is just fucking with you, or ... ?

Since you seem to grasp this topic so well, I'm surprised to learn that
you are unable to convince your ISP its nothing to be worried about.
Have you tried showing them pictures?

Cheers,

James
--
James Couzens,
Programmer
-----------------------------------------------------------------
http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scheme library
-----------------------------------------------------------------
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBD3BF855

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
David Woodhouse
2004-02-27 18:48:31 UTC
Permalink
Post by James Couzens
Try to step out of the box with me if you will, and I encourage your ISP
to follow suit. As was clearly illustrated, its NOT a concern. Why
would someone waste time and money, to spam SRS1 addresses with the
knowledge that they will be unconditionally rewritten as SRS0 and then
forwarded to their destination, only to be ___REJECTED___ (DING DING
DING KEY POINT HERE).
Putting words in capitals and attempting to patronise me doesn't
actually make this false statement true.

The point is that you cannot _guarantee_ that it will be rejected.

Admittedly, you may not _approve_ of the setups which will accept these
mails, but you cannot simply stick your head in the sand and pretend
that they don't exist.

They _do_ exist, and there is a non-zero probability that they will
complain -- and rightly so -- when your machine forwards spam to them.

In fact, even if the mails _are_ rejected you cannot guarantee that they
will go unpunished. If I see any one machine making numerous attempts to
deliver to invalid addresses, I _will_ complain to its upstream even if
I hadn't actually _accepted_ any mail from it. I'm not the only one.
Post by James Couzens
Pretend you are a spammer, why would you intentionally waste your time
sending your emails effectively to /dev/null ?
Pretend you are attacking the machine which is implementing SRS. You
spend a week getting it to forward arbitrary mail to bogus (or indeed
real) accounts at arbitrary domains of your choosing. Doesn't sound like
a waste of time to me.
Post by James Couzens
Since you seem to grasp this topic so well, I'm surprised to learn that
you are unable to convince your ISP its nothing to be worried about.
Have you tried showing them pictures?
Since I grasp this topic so well, I haven't attempted to convince them
that it's nothing to worry about.
--
dwmw2

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
James Couzens
2004-02-27 20:26:12 UTC
Permalink
Post by David Woodhouse
The point is that you cannot _guarantee_ that it will be rejected.
Fair enough.
Post by David Woodhouse
Admittedly, you may not _approve_ of the setups which will accept these
mails, but you cannot simply stick your head in the sand and pretend
that they don't exist.
They _do_ exist, and there is a non-zero probability that they will
complain -- and rightly so -- when your machine forwards spam to them.
If and when. No debating spammers will try anything, but just how
easily exploitable is this?
Post by David Woodhouse
In fact, even if the mails _are_ rejected you cannot guarantee that they
will go unpunished. If I see any one machine making numerous attempts to
deliver to invalid addresses, I _will_ complain to its upstream even if
I hadn't actually _accepted_ any mail from it. I'm not the only one.
Pretend you are attacking the machine which is implementing SRS. You
spend a week getting it to forward arbitrary mail to bogus (or indeed
real) accounts at arbitrary domains of your choosing. Doesn't sound like
a waste of time to me.
With frequently rotating secrets and a reasonable time window, just how
useful is someone spending the time to do this?
Post by David Woodhouse
Since I grasp this topic so well, I haven't attempted to convince them
that it's nothing to worry about.
I'm not stating you should tell them its problem free, but I'll state
that I'm unsure how just how big of an exploit this really is, and thats
not downplaying it or thinking "no one will bother". My honest opinion
was that given the limited range of success I perceive, I do think its
not a gaping wide hole. I suppose as is pointed out by Seth that as
the road gets tighter for spammers they will try any avenue they can..

I have been able to easily convince a couple of ISP's to implement this,
knowing about this problem, however the window of deployment to date, is
too short to confirm or deny how much of a problem it may or may not
be. It does not seem reasonable on the part of your ISP to deny you.
It isn't an open relay, but its not closed either. Its open to a
foreseeable attack that currently it can't be stated how easily it could
be circumvented.

I don't mean or try to underestimate the lengths someone spamming would
go to, surely some of them are watching this list even, however, I feel
like your ISP is looking at it from a pretty hard nosed angle.

Cheers,

James
--
James Couzens,
Programmer
-----------------------------------------------------------------
http://libspf.org -- ANSI C Sender Policy Framework library
http://libsrs.org -- ANSI C Sender Rewriting Scheme library
-----------------------------------------------------------------
PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBD3BF855

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
David Woodhouse
2004-02-27 20:54:03 UTC
Permalink
Post by James Couzens
Post by David Woodhouse
They _do_ exist, and there is a non-zero probability that they will
complain -- and rightly so -- when your machine forwards spam to them.
If and when. No debating spammers will try anything, but just how
easily exploitable is this?
It's less likely to be a spammer, and more likely to be an attacker who
wants to get _you_ into trouble when you forward these mails.

In addition to the social engineering attacks I've already described, it
may also be possible to get an open relay elsewhere on the net to
rewrite an SRS0+... address into a working probe address for an open
relay blacklist, getting you blacklisted as an input address for a
multi-hop relay.
Post by James Couzens
With frequently rotating secrets and a reasonable time window, just how
useful is someone spending the time to do this?
The SRS1->SRS0 forwarding loophole renders the secret and timestamp
irrelevant. It's always open.
Post by James Couzens
I don't mean or try to underestimate the lengths someone spamming would
go to, surely some of them are watching this list even, however, I feel
like your ISP is looking at it from a pretty hard nosed angle.
And well they should.
--
dwmw2

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
Daniel Roethlisberger
2004-02-27 18:55:28 UTC
Permalink
Post by James Couzens
Try to step out of the box with me if you will, and I encourage your
ISP to follow suit. As was clearly illustrated, its NOT a concern.
It was also clearly illustrated, that in some cases, it IS a concern.
You cannot just declare wildcard domains broken and pretend they don't
exist. If you do, this means to declare SRS conflicting with other
people using wildcard domains -- and I suspect a great many people will
choose to support the concept of wildcard domains in favour of SRS, and
with it, SPF.
Post by James Couzens
Pretend you are a spammer, why would you intentionally waste your time
sending your emails effectively to /dev/null ?
No, but if I'm going to harvest domains from some NIC's public database
and hope for wildcard domains, I'll be happy to use your server for
relaying.
Post by James Couzens
Since you seem to grasp this topic so well, I'm surprised to learn
that you are unable to convince your ISP its nothing to be worried
about. Have you tried showing them pictures?
Not everybody here seems to agree that it is not a problem, so I think
you might want to reconsider whether it really is so obviously no
problem as you might currently think.

Cheers,
Dan
--
Daniel Roethlisberger <***@roe.ch>
GnuPG key ID 0x804A06B1 (DSA/ElGamal)

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
wayne
2004-02-27 20:31:51 UTC
Permalink
Post by James Couzens
Post by David Woodhouse
I'm not entirely sure why anybody would equip a donkey with a hat, but I
Be sure you can take what you are serving for dinner David.
Post by David Woodhouse
#3. They are correct. It would be a partially open relay.
Try to step out of the box with me if you will, and I encourage your ISP
to follow suit. As was clearly illustrated, its NOT a concern.
I disagree. I believe that using SRS1 rewriting can, indeed, create a
partially open relay. To the best of my knowledge, Meng agrees, as
does Shevek. The difference of opinions is how much of a problem this
partially open relay creates.

In my opinion, the partially open relay problem with SRS1 (but not
SRS0), is enough for me to not use SRS1. But then, I do not have to
deal with forwarding, so all of SRS is not really an issue for me.
Post by James Couzens
knowledge that they will be unconditionally rewritten as SRS0 and then
forwarded to their destination, only to be ___REJECTED___ (DING DING
DING KEY POINT HERE).
This is incorrect. There are many systems out there with catch-all
email accounts where the relayed email would be accepted. In these
cases, the email would be unsolicited, and mostly likely either bulk
or commercial, qualifying as spam for many ISPs. While I think that
catch-all email accounts are A Bad Idea, it is up to the sender of the
email (in this case the MTA using SRS1) to prevent UBE/UCE from being
sent, not the owner of the catch-all account to block it.
Post by James Couzens
Pretend you are a spammer, why would you intentionally waste your time
sending your emails effectively to /dev/null ?
The emails wouldn't always be sent to /dev/null. As for why a spammer
might do it, well the spammer might be pissed that a company that uses
SRS1 either kicked them off, or reported the spammer for spamming.



-wayne

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=srs-***@v2.listbox.com
Continue reading on narkive:
Loading...