Discussion:
[spf-discuss] CSID.com's SPF record FAIL (and OPM breach of 4 million US gov't workers' PII)
Matthew Elvey
2015-06-09 14:57:32 UTC
Permalink
So, at�http://www.opm.gov/news/latest-news/announcements/�(Archived at�https://archive.is/QfKtg), it's written:

"Beginning June 8 and continuing through June 19, OPM will be sending
notifications to approximately 4 million individuals whose Personally
Identifiable Information was potentially compromised in this incident.
*The email will come from�*****@csid.com*�and it will contain
information regarding credit monitoring and identity theft protection
services being provided to those Federal employees impacted by the
data breach."

This is an unfortunately example of people who should understand
security mis-training millions of people to trust an email just because
of the email address it purports to be from. �This would be slightly
less bad if there was a good SPF policy attempting to protect mail from
***@csid.com. Unfortunately, �this is CSID.com's SPF record:
csid.com: �v=spf1 include:spf.protection.outlook.com *include:csid.us*
ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90
ip4:23.253.114.33 -all


And,��this is CSID.US's SPF record:

csid.us: � v=spf1 *include:csid.us include:csid.com* ip4:23.253.114.50
ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90
ip4:23.253.114.33 -all


They're infinitely recursive. �(The latter is self-recursive too!) � Of
course they fail when record testing tools (e.g.
http://www.kitterman.com/spf/validate.html) are used.

Sad state of affairs.

--
Matthew Elvey





-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/26474917-be2d5805
Modify Your Subscription: https://www.listbox.com/member/?member_id=26474917&id_secret=26474917-7cf048aa
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26474917&id_secret=26474917-41890383&post_id=20150609105741:DDF573D4-0EB7-11E5-A468-AC28A864E0F8
Powered by Listbox: http://www.listbox.com
alan
2015-06-09 16:03:46 UTC
Permalink
sad but entirely all too common

we really need some sort of 'hall of shame' for these types of organisations (and the ppl behind them)

possibly under the auspices of a dns (not black) list of 'domains that are pointless to check spf for as its broken/useless/etc'

admins could (as always) decide for themselves whether to warn/spamfolder/reject mail from such morons
csid.com: v=spf1 include:spf.protection.outlook.com include:csid.us ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
csid.us: v=spf1 include:csid.us include:csid.com ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
They're infinitely recursive. (The latter is self-recursive too!) Of course they fail when record testing tools (e.g. <http://www.kitterman.com/spf/validate.html>http://www.kitterman.com/spf/validate.html) are used.
Sad state of affairs.
--
Matthew Elvey
Sender Policy Framework: <http://www.openspf.net>http://www.openspf.net
Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/
<https://www.listbox.com/member/archive/735/=now>Archives<https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568> | <https://www.listbox.com/member/?&>Modify Your Subscription | <https://www.listbox.com/unsubscribe/?&&post_id=20150609105741:DDF573D4-0EB7-11E5-A468-AC28A864E0F8>Unsubscribe Now<http://www.listbox.com>
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/26474917-be2d5805
Modify Your Subscription: https://www.listbox.com/member/?member_id=26474917&id_secret=26474917-7cf048aa
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26474917&id_secret=26474917-41890383&post_id=20150609120405:23626C02-0EC1-11E5-B54C-921745003664
Powered by Listbox: http://www.listbox.com
Roger B.A. Klorese
2015-06-09 16:06:15 UTC
Permalink
Or, of course, decent SPF implementations could detect and terminate the
loop, and use the remaining data.
Post by alan
sad but entirely all too common
we really need some sort of 'hall of shame' for these types of organisations (and the ppl behind them)
possibly under the auspices of a dns (not black) list of 'domains that are pointless to check spf for as its broken/useless/etc'
admins could (as always) decide for themselves whether to warn/spamfolder/reject mail from such morons
csid.com: v=spf1 include:spf.protection.outlook.com include:csid.us ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
csid.us: v=spf1 include:csid.us include:csid.com ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
They're infinitely recursive. (The latter is self-recursive too!) Of course they fail when record testing tools (e.g. <http://www.kitterman.com/spf/validate.html>http://www.kitterman.com/spf/validate.html) are used.
Sad state of affairs.
--
Matthew Elvey
Sender Policy Framework: <http://www.openspf.net>http://www.openspf.net
Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/
<https://www.listbox.com/member/archive/735/=now>Archives<https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568> | <https://www.listbox.com/member/?&>Modify Your Subscription | <https://www.listbox.com/unsubscribe/?&&post_id=20150609105741:DDF573D4-0EB7-11E5-A468-AC28A864E0F8>Unsubscribe Now<http://www.listbox.com>
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/1302469-97ac8d3e
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20150609120405:23626C02-0EC1-11E5-B54C-921745003664
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/26474917-be2d5805
Modify Your Subscription: https://www.listbox.com/member/?member_id=26474917&id_secret=26474917-7cf048aa
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26474917&id_secret=26474917-41890383&post_id=20150609120623:77476C78-0EC1-11E5-9ECF-908E08E33A46
Powered by Listbox: http://www.listbox.com
alan
2015-06-09 16:31:10 UTC
Permalink
Or, of course, decent SPF implementations could detect and terminate the loop, and use the remaining data.
no a broken SPF record is a great indicator that the policy it expresses is liable to be as equally broken
the correct response is not to silently adjust (and potentially mis-interpret)

the correct response is PERMERR, as an spf client should not lie in its responses
thats why the responses are pass/hardfail/softfail/neutral/temperrr/permerr

for a client to not give a permanent error when shown a non transient error would be a broken attempt at implementation of the spec
Post by alan
sad but entirely all too common
we really need some sort of 'hall of shame' for these types of organisations (and the ppl behind them)
possibly under the auspices of a dns (not black) list of 'domains that are pointless to check spf for as its broken/useless/etc'
admins could (as always) decide for themselves whether to warn/spamfolder/reject mail from such morons
csid.com: v=spf1 include:spf.protection.outlook.com include:csid.us ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
csid.us: v=spf1 include:csid.us include:csid.com ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
They're infinitely recursive. (The latter is self-recursive too!) Of course they fail when record testing tools (e.g. <http://www.kitterman.com/spf/validate.html>http://www.kitterman.com/spf/validate.html) are used.
Sad state of affairs.
--
Matthew Elvey
Sender Policy Framework: <http://www.openspf.net>http://www.openspf.net
Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/
<https://www.listbox.com/member/archive/735/=now>Archives<https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568> | <https://www.listbox.com/member/?&>Modify Your Subscription | <https://www.listbox.com/unsubscribe/?&&post_id=20150609105741:DDF573D4-0EB7-11E5-A468-AC28A864E0F8>Unsubscribe Now<http://www.listbox.com>
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/1302469-97ac8d3e
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20150609120405:23626C02-0EC1-11E5-B54C-921745003664
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20150609120623:77476C78-0EC1-11E5-9ECF-908E08E33A46
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/26474917-be2d5805
Modify Your Subscription: https://www.listbox.com/member/?member_id=26474917&id_secret=26474917-7cf048aa
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26474917&id_secret=26474917-41890383&post_id=20150609123122:F48B7C4E-0EC4-11E5-9FB1-FF774F78CECF
Powered by Listbox: http://www.listbox.com
Roger B.A. Klorese
2015-06-09 16:33:10 UTC
Permalink
I disagree that laziness in editing is an indication of flawed logic.
Post by alan
Or, of course, decent SPF implementations could detect and terminate the loop, and use the remaining data.
no a broken SPF record is a great indicator that the policy it expresses is liable to be as equally broken
the correct response is not to silently adjust (and potentially mis-interpret)
the correct response is PERMERR, as an spf client should not lie in its responses
thats why the responses are pass/hardfail/softfail/neutral/temperrr/permerr
for a client to not give a permanent error when shown a non transient error would be a broken attempt at implementation of the spec
Post by alan
sad but entirely all too common
we really need some sort of 'hall of shame' for these types of organisations (and the ppl behind them)
possibly under the auspices of a dns (not black) list of 'domains that are pointless to check spf for as its broken/useless/etc'
admins could (as always) decide for themselves whether to warn/spamfolder/reject mail from such morons
csid.com: v=spf1 include:spf.protection.outlook.com include:csid.us ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
csid.us: v=spf1 include:csid.us include:csid.com ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
They're infinitely recursive. (The latter is self-recursive too!) Of course they fail when record testing tools (e.g. <http://www.kitterman.com/spf/validate.html>http://www.kitterman.com/spf/validate.html) are used.
Sad state of affairs.
--
Matthew Elvey
Sender Policy Framework: <http://www.openspf.net>http://www.openspf.net
Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/
<https://www.listbox.com/member/archive/735/=now>Archives<https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568> | <https://www.listbox.com/member/?&>Modify Your Subscription | <https://www.listbox.com/unsubscribe/?&&post_id=20150609105741:DDF573D4-0EB7-11E5-A468-AC28A864E0F8>Unsubscribe Now<http://www.listbox.com>
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/1302469-97ac8d3e
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20150609120405:23626C02-0EC1-11E5-B54C-921745003664
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20150609120623:77476C78-0EC1-11E5-9ECF-908E08E33A46
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/1302469-97ac8d3e
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20150609123122:F48B7C4E-0EC4-11E5-9FB1-FF774F78CECF
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/26474917-be2d5805
Modify Your Subscription: https://www.listbox.com/member/?member_id=26474917&id_secret=26474917-7cf048aa
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26474917&id_secret=26474917-41890383&post_id=20150609123319:3A46CD6A-0EC5-11E5-A332-81E7F8398E20
Powered by Listbox: http://www.listbox.com
alan
2015-06-09 19:41:19 UTC
Permalink
Post by Roger B.A. Klorese
I disagree that laziness in editing is an indication of flawed logic.
lazyness in editing plus lazyness in testing (to see the obvious flaw)
plus lazyness to notice (as its not a new fatal error)

is total ineptitude yes

so no i wouldn't trust this person as a mail administrator anywhere where email counts
Post by Roger B.A. Klorese
Post by alan
Or, of course, decent SPF implementations could detect and terminate the loop, and use the remaining data.
no a broken SPF record is a great indicator that the policy it expresses is liable to be as equally broken
the correct response is not to silently adjust (and potentially mis-interpret)
the correct response is PERMERR, as an spf client should not lie in its responses
thats why the responses are pass/hardfail/softfail/neutral/temperrr/permerr
for a client to not give a permanent error when shown a non transient error would be a broken attempt at implementation of the spec
Post by alan
sad but entirely all too common
we really need some sort of 'hall of shame' for these types of organisations (and the ppl behind them)
possibly under the auspices of a dns (not black) list of 'domains that are pointless to check spf for as its broken/useless/etc'
admins could (as always) decide for themselves whether to warn/spamfolder/reject mail from such morons
csid.com: v=spf1 include:spf.protection.outlook.com include:csid.us ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
csid.us: v=spf1 include:csid.us include:csid.com ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
They're infinitely recursive. (The latter is self-recursive too!) Of course they fail when record testing tools (e.g. <http://www.kitterman.com/spf/validate.html>http://www.kitterman.com/spf/validate.html) are used.
Sad state of affairs.
--
Matthew Elvey
Sender Policy Framework: <http://www.openspf.net>http://www.openspf.net
Modify Your Subscription: <http://www.listbox.com/member/>http://www.listbox.com/member/
<https://www.listbox.com/member/archive/735/=now>Archives<https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568> | <https://www.listbox.com/member/?&>Modify Your Subscription | <https://www.listbox.com/unsubscribe/?&&post_id=20150609105741:DDF573D4-0EB7-11E5-A468-AC28A864E0F8>Unsubscribe Now<http://www.listbox.com>
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/1302469-97ac8d3e
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20150609120405:23626C02-0EC1-11E5-B54C-921745003664
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20150609120623:77476C78-0EC1-11E5-9ECF-908E08E33A46
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/1302469-97ac8d3e
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20150609123122:F48B7C4E-0EC4-11E5-9FB1-FF774F78CECF
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568
Modify Your Subscription: https://www.listbox.com/member/?&
Unsubscribe Now: https://www.listbox.com/unsubscribe/?&&post_id=20150609123319:3A46CD6A-0EC5-11E5-A332-81E7F8398E20
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/26474917-be2d5805
Modify Your Subscription: https://www.listbox.com/member/?member_id=26474917&id_secret=26474917-7cf048aa
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26474917&id_secret=26474917-41890383&post_id=20150609154135:85504CFE-0EDF-11E5-828E-8C8E4471C685
Powered by Listbox: http://www.listbox.com
Dotzero
2015-06-10 14:33:14 UTC
Permalink
Looking at the txt record for csid.us this morning I'm seeing:

Non-authoritative answer:
csid.us text = "default._domainkey IN TXT ( v=DKIM1\; k=rsa\;
p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0O/L8Xm8y5NrC4GZ6YBU/9PtJLM7MpEUzqlhAdqjHsVssIG9B9/cSKopoLcla6TsTMidVQGi2JAu7yEFyVzquyfnsLtPkf7kV0FzrIonVa7yUg+VQ+4L/aN+YIp8f2JcLxQdsD/zGIxV0lRchpslnVpEacAoqm0eZeKqDteyTM"
"QIDAQAB )"

They must have yanked the SPF record.

Testing the SPF record for csid.com results in:

Results - PermError SPF Permanent Error: No valid SPF record for included
domain: csid.us: include:csid.us
Post by alan
Post by Roger B.A. Klorese
I disagree that laziness in editing is an indication of flawed logic.
lazyness in editing plus lazyness in testing (to see the obvious flaw)
plus lazyness to notice (as its not a new fatal error)
is total ineptitude yes
so no i wouldn't trust this person as a mail administrator anywhere where email counts
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Or, of course, decent SPF implementations could detect and terminate
the loop, and use the remaining data.
Post by Roger B.A. Klorese
Post by alan
no a broken SPF record is a great indicator that the policy it expresses
is liable to be as equally broken
Post by Roger B.A. Klorese
Post by alan
the correct response is not to silently adjust (and potentially
mis-interpret)
Post by Roger B.A. Klorese
Post by alan
the correct response is PERMERR, as an spf client should not lie in its
responses
Post by Roger B.A. Klorese
Post by alan
thats why the responses are
pass/hardfail/softfail/neutral/temperrr/permerr
Post by Roger B.A. Klorese
Post by alan
for a client to not give a permanent error when shown a non transient
error would be a broken attempt at implementation of the spec
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
sad but entirely all too common
we really need some sort of 'hall of shame' for these types of
organisations (and the ppl behind them)
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
possibly under the auspices of a dns (not black) list of 'domains that
are pointless to check spf for as its broken/useless/etc'
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
admins could (as always) decide for themselves whether to
warn/spamfolder/reject mail from such morons
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
So, at <http://www.opm.gov/news/latest-news/announcements/>
http://www.opm.gov/news/latest-news/announcements/ (Archived at <
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
"Beginning June 8 and continuing through June 19, OPM will be sending
notifications to approximately 4 million individuals whose Personally
Identifiable Information was potentially compromised in this incident. The
regarding credit monitoring and identity theft protection services being
provided to those Federal employees impacted by the data breach."
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
This is an unfortunately example of people who should understand
security mis-training millions of people to trust an email just because of
the email address it purports to be from. This would be slightly less bad
if there was a good SPF policy attempting to protect mail from
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
csid.com: v=spf1 include:spf.protection.outlook.com include:csid.us
ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90
ip4:23.253.114.33 -all
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
csid.us: v=spf1 include:csid.us include:csid.com ip4:23.253.114.50
ip4:23.253.114.76 ip4:23.253.114.72 ip4:23.253.114.90 ip4:23.253.114.33 -all
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
They're infinitely recursive. (The latter is self-recursive too!)
Of course they fail when record testing tools (e.g. <
http://www.kitterman.com/spf/validate.html>
http://www.kitterman.com/spf/validate.html) are used.
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
Sad state of affairs.
--
Matthew Elvey
Sender Policy Framework: <http://www.openspf.net>
http://www.openspf.net
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
Modify Your Subscription: <http://www.listbox.com/member/>
http://www.listbox.com/member/
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
<https://www.listbox.com/member/archive/735/=now>Archives<
https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568> | <
https://www.listbox.com/member/?&>Modify Your Subscription | <
https://www.listbox.com/unsubscribe/?&&post_id=20150609105741:DDF573D4-0EB7-11E5-A468-AC28A864E0F8>Unsubscribe
Now<http://www.listbox.com>
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [
http://www.openspf.net]
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
Modify Your Subscription: http://www.listbox.com/member/ [
http://www.listbox.com/member/]
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
Archives: https://www.listbox.com/member/archive/735/=now
https://www.listbox.com/member/archive/rss/735/1302469-97ac8d3e
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
Modify Your Subscription: https://www.listbox.com/member/?&
https://www.listbox.com/unsubscribe/?&&post_id=20150609120405:23626C02-0EC1-11E5-B54C-921745003664
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Post by alan
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net
]
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Modify Your Subscription: http://www.listbox.com/member/ [
http://www.listbox.com/member/]
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Archives: https://www.listbox.com/member/archive/735/=now
https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Modify Your Subscription: https://www.listbox.com/member/?&
https://www.listbox.com/unsubscribe/?&&post_id=20150609120623:77476C78-0EC1-11E5-9ECF-908E08E33A46
Post by Roger B.A. Klorese
Post by alan
Post by Roger B.A. Klorese
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [
http://www.listbox.com/member/]
Post by Roger B.A. Klorese
Post by alan
Archives: https://www.listbox.com/member/archive/735/=now
https://www.listbox.com/member/archive/rss/735/1302469-97ac8d3e
Post by Roger B.A. Klorese
Post by alan
Modify Your Subscription: https://www.listbox.com/member/?&
https://www.listbox.com/unsubscribe/?&&post_id=20150609123122:F48B7C4E-0EC4-11E5-9FB1-FF774F78CECF
Post by Roger B.A. Klorese
Post by alan
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [
http://www.listbox.com/member/]
Post by Roger B.A. Klorese
Archives: https://www.listbox.com/member/archive/735/=now
https://www.listbox.com/member/archive/rss/735/13124949-ec5a0568
Post by Roger B.A. Klorese
Modify Your Subscription: https://www.listbox.com/member/?&
https://www.listbox.com/unsubscribe/?&&post_id=20150609123319:3A46CD6A-0EC5-11E5-A332-81E7F8398E20
Post by Roger B.A. Klorese
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [
http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/1196114-c942ad28
https://www.listbox.com/member/?&
https://www.listbox.com/unsubscribe/?&&post_id=20150609154135:85504CFE-0EDF-11E5-828E-8C8E4471C685
Powered by Listbox: http://www.listbox.com
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/26474917-be2d5805
Modify Your Subscription: https://www.listbox.com/member/?member_id=26474917&id_secret=26474917-7cf048aa
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26474917&id_secret=26474917-41890383&post_id=20150610103325:A2B6AD9E-0F7D-11E5-A3F1-A2AA74E19D6F
Powered by Listbox: http://www.listbox.com

Dotzero
2015-06-09 17:41:12 UTC
Permalink
So, at http://www.opm.gov/news/latest-news/announcements/ (Archived at
"Beginning June 8 and continuing through June 19, OPM will be sending
notifications to approximately 4 million individuals whose Personally
Identifiable Information was potentially compromised in this incident. *The
regarding credit monitoring and identity theft protection services being
provided to those Federal employees impacted by the data breach."
This is an unfortunately example of people who should understand security
mis-training millions of people to trust an email just because of the email
address it purports to be from. This would be slightly less bad if there
csid.com: v=spf1 include:spf.protection.outlook.com *include:csid.us
<http://csid.us>* ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72
ip4:23.253.114.90 ip4:23.253.114.33 -all
csid.us: v=spf1 *include:csid.us <http://csid.us> include:csid.com
<http://csid.com>* ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72
ip4:23.253.114.90 ip4:23.253.114.33 -all
They're infinitely recursive. (The latter is self-recursive too!) Of
course they fail when record testing tools (e.g.
http://www.kitterman.com/spf/validate.html) are used.
Sad state of affairs.
Good catch Matthew.

Unfortunately they (OPM and CSID) have more problems than just their SPF
record. you would think a company that claims to be the leader in dealing
with breaches would have more of a clue. I don't have a sample email from
them but their DMARC record has a p=none policy. This is exactly the type
of email (notification) that solid email authentication (SPF/DKIM/DMARC) is
useful for.

Mike



-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/26474917-be2d5805
Modify Your Subscription: https://www.listbox.com/member/?member_id=26474917&id_secret=26474917-7cf048aa
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26474917&id_secret=26474917-41890383&post_id=20150609134133:BC1E84C8-0ECE-11E5-BF2E-BD031074DE95
Powered by Listbox: http://www.listbox.com
Dotzero
2015-06-09 17:43:13 UTC
Permalink
Too sweet - when I just posted to the list I got the following bounce:

Your message to ***@csid.com couldn't be delivered.
security wasn't found at csid.com
Post by Dotzero
So, at http://www.opm.gov/news/latest-news/announcements/ (Archived at
"Beginning June 8 and continuing through June 19, OPM will be sending
notifications to approximately 4 million individuals whose Personally
Identifiable Information was potentially compromised in this incident. *The
regarding credit monitoring and identity theft protection services being
provided to those Federal employees impacted by the data breach."
This is an unfortunately example of people who should understand security
mis-training millions of people to trust an email just because of the email
address it purports to be from. This would be slightly less bad if there
csid.com: v=spf1 include:spf.protection.outlook.com *include:csid.us
<http://csid.us>* ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72
ip4:23.253.114.90 ip4:23.253.114.33 -all
csid.us: v=spf1 *include:csid.us <http://csid.us> include:csid.com
<http://csid.com>* ip4:23.253.114.50 ip4:23.253.114.76 ip4:23.253.114.72
ip4:23.253.114.90 ip4:23.253.114.33 -all
They're infinitely recursive. (The latter is self-recursive too!) Of
course they fail when record testing tools (e.g.
http://www.kitterman.com/spf/validate.html) are used.
Sad state of affairs.
Good catch Matthew.
Unfortunately they (OPM and CSID) have more problems than just their SPF
record. you would think a company that claims to be the leader in dealing
with breaches would have more of a clue. I don't have a sample email from
them but their DMARC record has a p=none policy. This is exactly the type
of email (notification) that solid email authentication (SPF/DKIM/DMARC) is
useful for.
Mike
-------------------------------------------
Sender Policy Framework: http://www.openspf.net [http://www.openspf.net]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/26474917-be2d5805
Modify Your Subscription: https://www.listbox.com/member/?member_id=26474917&id_secret=26474917-7cf048aa
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26474917&id_secret=26474917-41890383&post_id=20150609134322:03C6A62A-0ECF-11E5-81AD-80804C98539F
Powered by Listbox: http://www.listbox.com
Loading...