[linux-elitists] Is Pobox.com using SPF?

Rick Moen rick@linuxmafia.com
Tue Mar 30 11:52:51 PST 2004


Am I missing something, or is Pobox.com making excuses for not
implementing its own anti-forgery protocol?

----- Forwarded message from Rick Moen <rick@linuxmafia.com> -----

Date: Tue, 30 Mar 2004 11:43:39 -0800
From: Rick Moen <rick@linuxmafia.com>
To: Pobox Customer Support <pobox@pobox.com>
Cc: mengwong@dumbo.pobox.com
Subject: Re: Physician, Heal Thyself [PTN.20040326.0144J]

Quoting Ms. Schival:

> What appears to be happening is that this error message was sent in
> response to an attempt to replicate a virus which, after infecting a
> computer, attempts to replicate itself using random subjects and
> attachment names, and changes the From: address to one found on the
> infected computer.
> 
> So what's happening is that someone -- not you -- is infected with the
> virus, which is replicating itself using addresses found on the infected
> computer; it takes one of these addresses and uses it as a From: address
> so it's harder to track the actual sender, and as such, harder to notify
> the correct person that their computer is infected.
> 
> When the virus then attempted to send itself to the RECIPIENT'S email
> address, it used your Pobox address, so that when the virus was bounced,
> it was returned to you.

I'm actually extremely well aware of how malware uses spoofed From: (and
sometimes envelope) headers.  But thank you.

> If you do not have Spam Protection (which includes SPF protection)
> enabled on your account, I would suggest enabling that.  However, in
> this case it would have been tartarus.org, not pobox.com that would
> needed to have checked for SPF records.


Just for background:  In contrast to people who just have "accounts", I
operate my own MTA, and my own DNS nameservice, for my domain
(linuxmafia.com).   My nameserver publishes SPF records.

Granting your point that tartarus.org inappropriately trusted a forged
envelope sender header, and _would_ have benefitted from checking SPF:

kelvin.pobox.com initially accepted a piece of malware SMTP mail with
forged return-path headers purporting to be from linuxmafia.com -- i.e.,
joe-jobbed -- addressed to anakin@pobox.com.  kelvin.pobox.com attempted
to _further_ deliver it to host mail.lethe.tartarus.org WITHOUT bothering
to check SPF records.  That second host then did 554 rejection of the
mail, to which kelvin.pobox.com responded by sending me an (inappropriate)
bounce message.

So:  _Does_ kelvin.pobox.com check SPF RRs?  If it does, then it knew 
upon initial receipt that the mail in question was a forgery.
Therefore, it should _not_ have attempted delivery to
mail.lethe.tartarus.org .  What's the point of detecting mail forgery if
you then blithely send it onwards?


I submit that "It's tartarus.org's fault" isn't an answer:  If you guys
are redelivering received mail you KNOW is forged to such MTAs, then
you're part of the problem, and you certainly should know better.



(Prior mail quoted below for Meng's information.)


> On Fri, Mar 26, 2004 at 07:25:17PM -0800, Rick Moen wrote:
> > The virus-mail in question did _not_ come from my MTA, having (of course) 
> > forged headers and originating on an MS-Windows box somewhere, not from
> > my all-Linux mail systems.
> > 
> > But I'm writing this to remind you that you _know_ better than this:
> > You guys, pobox.com, are after all the people who invented SPF records
> > for the DNS.  And the crowning irony:  My domain (linuxmafia.com)
> > publishes SPF records, which YOU, the inventor of SPF, didn't bother to
> > check!
> > 
> > May I strongly suggest that you guys get around to implementing your own
> > SMTP anti-forgery protocol?
> > 
> > 
> > ----- Forwarded message from Mail Delivery System <MAILER-DAEMON@kelvin.pobox.com> -----
> > 
> > Return-path: <>
> > Envelope-to: rick@linuxmafia.com
> > Delivery-date: Fri, 26 Mar 2004 19:09:25 -0800
> > Received: from kelvin.pobox.com ([207.8.226.2]:43354)
> > 	by linuxmafia.com with esmtp (Exim 4.30 #1)
> > 	id 1B74CC-000189-V1
> > 	for <rick@linuxmafia.com>; Fri, 26 Mar 2004 19:09:17 -0800
> > Received: by kelvin.pobox.com (Postfix)
> > 	id 7614E9148C; Fri, 26 Mar 2004 22:09:16 -0500 (EST)
> > Date: Fri, 26 Mar 2004 22:09:16 -0500 (EST)
> > From: Mail Delivery System <MAILER-DAEMON@kelvin.pobox.com>
> > To: rick@linuxmafia.com
> > MIME-Version: 1.0
> > Message-Id: <20040327030916.7614E9148C@kelvin.pobox.com>
> > X-SA-Exim-Mail-From: 
> > Subject: Undelivered Mail Returned to Sender
> > Content-Type: multipart/report; report-type=delivery-status;
> > 	boundary="1DA6B916DA.1080356956/kelvin.pobox.com"
> > X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on 
> > 	uncle-enzo.linuxmafia.com
> > X-Spam-Level: 
> > X-Spam-Status: No, hits=-4.8 required=5.0 tests=BAYES_00,MICROSOFT_EXECUTABLE,
> > 	UPPERCASE_25_50 autolearn=no version=2.63
> > X-SA-Exim-Version: 3.1 (built Wed Aug 20 09:38:54 PDT 2003)
> > X-SA-Exim-Scanned: Yes
> > Lines: 425
> > 
> > Content-Description: Notification
> > This is the Postfix program at host kelvin.pobox.com.
> > 
> > The message below did not reach its final destination.
> > 
> > What happened exactly?  Our mail server kelvin.pobox.com
> > accepted your message and tried to forward it to
> > simon@tartarus.org.
> > 
> > Unfortunately, we had a problem delivering the message
> > to that address.  The excerpt below shows why your message
> > was not delivered.
> > 
> > If you don't know what this error means, or why we are trying
> > to deliver the message you sent to a Pobox.com address to a
> > totally different destination, please go to
> > 
> >     http://pobox.com/bounce-pobox.html
> > 
> > If you need further assistance regarding this message, please
> > contact your ISP, or postmaster@tartarus.org
> > Always include the full text of this problem report.
> > 
> > --------------- Reason For Delivery Failure ---------------
> > 
> > For further assistance, please send mail to <postmaster@tartarus.org>
> > 
> > If you do so, please include this problem report. You can
> > delete your own text from the message returned below.
> > 
> > 			The Postfix program
> > 
> > <simon@tartarus.org>: host mail.lethe.tartarus.org[195.149.39.210] said: 554
> >     Disguised executable is probably a virus. See <http://tartarus.org/virus>.
> >     (in reply to end of DATA command)
> > 
> > Content-Description: Delivery report
> > Reporting-MTA: dns; kelvin.pobox.com
> > X-Postfix-Queue-ID: 1DA6B916DA
> > X-Postfix-Sender: rfc822; rick@linuxmafia.com
> > Arrival-Date: Fri, 26 Mar 2004 22:09:15 -0500 (EST)
> > 
> > Final-Recipient: rfc822; simon@tartarus.org
> > Original-Recipient: rfc822; anakin@pobox.com
> > Action: failed
> > Status: 5.0.0
> > Diagnostic-Code: X-Postfix; host mail.lethe.tartarus.org[195.149.39.210] said:
> >     554 Disguised executable is probably a virus. See
> >     <http://tartarus.org/virus>. (in reply to end of DATA command)
> > 
> > Content-Description: Undelivered Message
> > Received: from colander (localhost [127.0.0.1])
> > 	by kelvin.pobox.com (Postfix) with ESMTP id 1DA6B916DA
> > 	for <anakin@pobox.com>; Fri, 26 Mar 2004 22:09:15 -0500 (EST)
> > Received: from pobox.com (61-223-100-147.HINET-IP.hinet.net [61.223.100.147])
> > 	by kelvin.pobox.com (Postfix) with ESMTP
> > 	for <anakin@pobox.com>; Fri, 26 Mar 2004 22:09:09 -0500 (EST)
> > From: rick@linuxmafia.com
> > To: anakin@pobox.com
> > Subject: Re: Hello
> > Date: Sat, 27 Mar 2004 11:09:14 +0800
> > MIME-Version: 1.0
> > Content-Type: multipart/mixed;
> > 	boundary="----=_NextPart_000_0011_000058FD.00006DEB"
> > X-Priority: 3
> > X-MSMail-Priority: Normal
> > Message-Id: <20040327030915.1DA6B916DA@kelvin.pobox.com>
> > 
> > Please read the attached file.
> > 
> > 
> > 
> > 
> > ----- End forwarded message -----
> > 
> > DO NOT DELETE THIS LINE.  The ticket number for this request is PTN.20040326.0144J

----- End forwarded message -----



More information about the linux-elitists mailing list