SpfLoop - SPF (TXT) Alias Loops
This module implements alias loops using SPF (Sender Policy Framework) records. The loops can be a direct loop, where the alias points back to the same domain name as in the original query, or they can include multiple elements, cycling through a specified number of domains.
The idea is that if the client/resolver decides to resolve this further, it will enter an infinite loop. In practice, however, most modern resolvers detect such loops and terminate the resolution.
The SPF protocol is used to specify which mail servers are authorized to send emails on behalf of a domain, and SPF records are typically published within TXT records in DNS.
Note that this feature provides the same functionality as requesting a TXT record for the generic loop feature.
Category: Alias loops
Tags: Domain Lock-Up, Denial of Service
Format
spfloop.<NUMBER>.yourdomain.com
Where:
- The
<NUMBER>parameter specifies the number of elements the loop should contain.
Examples
In this example, we see a direct loop formed by sending a query that results in a SPF record containing the exact same domain name as the one in the query:
# dig spfloop.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> spfloop.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62987 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;spfloop.yourdomain.com. IN A ;; ANSWER SECTION: spfloop.yourdomain.com. 60 IN TXT "v=spf1 include:spfloop.yourdomain.com ~all" ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Nov 06 13:56:26 +04 2024 ;; MSG SIZE rcvd: 95
In this example, we request a SPF alias loop consisting of 5 elements:
# dig spfloop.5.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> spfloop.5.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33532 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;spfloop.5.yourdomain.com. IN A ;; ANSWER SECTION: spfloop.5.yourdomain.com. 60 IN TXT "v=spf1 include:spfloop.5.1.yourdomain.com ~all" ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Nov 06 13:56:28 +04 2024 ;; MSG SIZE rcvd: 101
The resulting domain name spfloop.5.1.yourdomain.com represents the 1st element of the loop.
By resolving the 1st element, we are pointed to the 2nd element of the loop:
# dig spfloop.5.1.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> spfloop.5.1.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29903 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;spfloop.5.1.yourdomain.com. IN A ;; ANSWER SECTION: spfloop.5.1.yourdomain.com. 60 IN TXT "v=spf1 include:spfloop.5.2.yourdomain.com ~all" ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Nov 06 13:56:29 +04 2024 ;; MSG SIZE rcvd: 103
This continues up to the 5th and final element — spfloop.5.5.yourdomain.com.
By resolving the final element of the loop, we are directed back to the 1st element again:
# dig spfloop.5.5.yourdomain.com @127.0.0.1 ; <<>> DiG 9.18.10-2-Debian <<>> spfloop.5.5.yourdomain.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39048 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;spfloop.5.5.yourdomain.com. IN A ;; ANSWER SECTION: spfloop.5.5.yourdomain.com. 60 IN TXT "v=spf1 include:spfloop.5.1.yourdomain.com ~all" ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Nov 06 13:56:30 +04 2024 ;; MSG SIZE rcvd: 103
We can see that we are indeed pointed back to the 1st element again, forming a loop.
From the same category
- CnLoop - CNAME Alias Loops
- DnLoop - DNAME Alias Loops
- HtLoop - HTTPS Alias Loops
- Loop - Alias Loops
- MxLoop - MX Alias Loops
- NptEnumLoop - NAPTR ENUM Alias Loops
- NsLoop - NS Alias Loops
- PtrLoop1 - PTR Alias Loops (Variant 1)
- PtrLoop2 - PTR Alias Loops (Variant 2)
- SrLoop - SRV Alias Loops
- SvLoop - SVCB Alias Loops
See also
- SpfAlias1 - Random SPF (TXT) Aliases (Variant 1)
- SpfAlias2 - Random SPF (TXT) Aliases (Variant 2)
- SpfChain - SPF (TXT) Alias Chains