On Feb 12, 2006, at 9:03 PM, Frank Ellermann wrote:
Even this brief review was not limited to just Sender-ID as a path
solution, but also included a list of HELOs that could describe
the same path in one or two lookups.
Okay, covering "signing domains" by sets of related HELOs makes
more sense than PRA or MAIL FROM. We've nothing for arbitrary HELO
id.s. At best we have CSV's zone-cut emulation. But CSV like all
the others is single-hop (MON to MX), attackers won't use a CSV or
SPF protected HELO, they simply pick another HELO.
Verifying the HELO would be analogous to checking a wax seal on an
envelope. When the verified HELO is found within a list of valid
HELOs for the signing-domain, the seal is intact. Just as policy for
an email-address within the signing-domain is not checked, when the
HELO is within the signing-domain, checking for a list of valid HELOs
would not be needed. The threat review may consider the use of the
HELO, but neither the DKIM threat review or protocol should be
required to include details of how HELO is verified, or even how a
list of HELOs is created.
When the wax seal is broken or missing, delayed acceptance from
unknown IP addresses could provide a means to curtail all types of
message replay abuse. A verified HELO also offers a means to defend
the DKIM process from an inordinate level of abuse as DoS
protection. When the HELO does not verify from an unknown IP
address, or is outside the signing-domain, delayed acceptance will
ensure the service impact is minimal.
DKIM keys will likely be added on a per MTA basis. At the same time
the Key is added to DNS for the MTA, HELO RR can be added at the same
time. This is not asking an organization to know all their IP
addresses for all the machines ever used. This is only asking that
the HELO for this DKIM MTA also have a corresponding DNS entry.
Accountability for DKIM must exclude the message envelope. However,
accountability for the HELO includes the message envelope. When DKIM
is used in conjunction with HELO verification, then, and only then,
can DKIM become a powerful means to abate spam and curtail replay abuse.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://dkim.org/ietf-list-rules.html