Priveon Labs Security Blog

Authors: Fred Parks, James Daugherty

Intro
SPF isn’t something brand new but it came to mind again after we recently had to deal with some spam issues here at Priveon. If you’re not 100% familiar with the Sender Policy Framework (SPF) then don’t feel bad – neither are over half of the Fortune 100 (we’ll get to that later).

A Little Background
The majority of spam is sent using forged sender addresses. Not only do the targets of that spam have to deal with the problems it causes but so do the sites that had their identity spoofed. Bouncebacks, backscatter, and reputation loss in the digital as well as physical world can all be consequences of being spoofed.

SPF Overview
Sender Policy Framework (SPF) is an open standard that attempts to prevent the forging of email sender addresses. It utilizes a DNS record that contains references to the mail servers that are authorized to send mail for a given domain. When an email is received by an SPF compliant mail system the receiving server can use SPF to accept or reject messages before receiving the body of the message. DNS is queried to pull the SPF record for the sending server’s domain and if the server sending the mail is not listed in the SPF record the mail can be rejected.

Usage of SPF
We decided to check up on the Fortune 100 list of companies to see who had implemented SPF entries. At the time of this article’s publishing 57% of the Fortune 100 did NOT have an SPF record for their primary domain.
What we found particularly interesting was that out of the 43 companies that did have an SPF record, 2 companies had incorrectly entered the syntax for the record. On one record it appeared that the admin copied the entry from a wizard and forgot to take off the quotes when they made the entry in DNS…
Coincidently - just before we published this article one of those entries was corrected and we’re still trying to get in touch with the other company so they can take care of theirs.

Review the resources at the bottom of the article for some tools you can use to create your own SPF record or check out the records of the Fortune 100 like we did.

Shortcomings
While SPF does have benefits there are some possible drawbacks you should be aware of. SPF is still an experimental standard referenced under RFC 4408 so it’s not fully ratified. Even though SPF does help prevent spoofing at the domain level it doesn’t validate the user who actually sent the message in the domain. Also, if you use a forwarding service then implementing an SPF record will most likely break your forwarding (check out the SPF documentation link at the end of the article for ways to mitigate this). There is a certain amount of controversy over the design, security, and longevity of SPF - the detractors are quite vocal about it. You’ll need to decide for yourself if the cons apply to your situation and if they outweigh the benefits.

Conclusion
Implementing SPF for your company won’t necessarily have a direct immediate effect on the spam you receive but it will help prevent your company’s domain from being spoofed by spammers and help keep your good name. We like it because it’s the only spam prevention tool we’ve seen that’s free and took less than 5 minutes to configure!

Publishing an SPF record costs nothing and may have a positive impact on your company as well as benefiting the Internet community at large. Is it the answer to spam? Of course not, but it is another tool that we can avail ourselves of while the spam wars rage.

Resources

SPF Homepage: The best resource for learning more about SPF and if it’s right for you. The site contains some really good technical information as well as best practices and several FAQ’s.

SPF RFC 4408: Details of the experimental RFC for SPF

Online SPF Record Testing Tool by Kitterman Technical Services: This tool can poll whether a domain has an SPF record and then validate whether that record is using the correct syntax. You can also enter specific strings to test whether the syntax you are using will work in a given scenario.

SPF Record Setup Tool: This tool will help guide you through the process of creating a valid SPF record for your domain.

Why SPF is different than PTR validation:
Chris Linfoot has some of his thoughts on SPF but later in the article there are some good follow-ups on SPF vs. PTR validation.

Fortune 500 List for 2007

The Caveat Pages: Here are some examples of the arguments against SPF.
http://homepages.tesco.net/~J.deBoynePollard/FGA/smtp-spf-is-harmful.html
http://permalink.gmane.org/gmane.culture.people.interesting-people/3797

I've previously blogged about NoScript and other useful Firefox Add-ins. Version 1.1.7.7 is the most recent version and a few notable features include:

• New XSS Protection
• Forbid IFRAME option
• Forbid Web Bugs (1x1 pixel invisible images used to track surfing habits and/or email tracking)
• Forbid Microsoft Silverlight

The full list of features in version 1.1.7.7 (and prior) can be found on the NoScript website.

The Forbid IFRAME feature should be particularly useful in preventing browse-by, phishing, and other attacks that use the IFRAME html tag for nefarious purposes.

Get the new version of NoScript from the Firefox Add-ons website.

Cisco has release an upgrade for the CS-MARS 5.2.x train of software due to a bug with the archiving feature. The information provided is limited but it is HIGHLY recommended that you upgrade to the fixed builds. Since archiving is the method used by the MARS for backing up the system configuration and event data, this hotfix is considered critical.

THIS ONLY APPLIES TO THE THE 5.2.7(2555) and 5.2.8(2590) BUILDS.

The actual bug is CSCsk77372 - 5.2.7, 5.2.8 missing parameter file needed for archiving and restore, this is a severity 2 bug.

There were no upgrades to 5.2.5 or 5.2.6; only 5.2.4 directly to 5.2.7.

More information is available via the Release Notes

As with any new software update, you should make sure you have a valid backup before upgrading. You should also review the product documentation, upgrade instructions and release notes to fully understand the impact of the new version.

Via the Bugtraq mailing list, researcher Laurent Gaffié has reported a way to bypass IE7 content filters. By appending alternate file extensions for PE files, IE's executable filter is fooled into downloading content without a user prompt. With a little social engineering a user could potentially be fooled into downloading and executing malicious content.

Although slightly different, I'm reminded of a talk given at DefCon 2007 that involved breaking social network content filters by using PHP code (and discussed by Chad here). With a little experimentation, the two could possibly be used together in a single attack. Other attack vectors might include spam (plain or PDF variety) and/or social engineering.

It's always a good practice to verify anything executing out of browser temporary directories - especially PEs and scripts.

Link to original post:
http://www.securityfocus.com/archive/1/482220/30/0/threaded

Adobe has issued a formal response and work-around for the Acrobat and Acrobat Reader vulnerability reported by Petero Pekov and discussed in a previous Priveon Labs post. Based upon Adobe's response, the issue seems to be a URI handling bug that specifically affects embedded mailto: links.

While Adobe is expected to issue a patch by late October, modifying the following registry key(s) will provide a temporary solution for the vulnerability:

If you are using the full Acrobat product, go to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Adobe Acrobat\8.0\FeatureLockDown\cDefaultLaunchURLPerms

If you are using Acrobat Reader, go to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\8.0\FeatureLockDown\cDefaultLaunchURLPerms

In the aforementioned key find the tSchemePerms data value.

• If tSchemePerms is set as follows:
  version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|
  mailto:2|file:2
• To Disable mailto (recommended)
  Modify tSchemePerms by setting the mailto: value to 3:
  version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|
  mailto:3|file:2
• To set mailto to prompt
  Modify tSchemePerms by removing the mailto: value:
  version:1|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|afp:3|disks:3|telnet:3|ssh:3|acrobat:2|
  file:2

Formal documented instructions can be found here: http://www.adobe.com/support/security/advisories/apsa07-04.html