On Fri, 15 Oct 2010 15:48:05 +0100, Ian Eiloart
Here's a more interesting attack:
Compose an email apparently from eBay, and send it to yourself. Get a
DKIM signature, then add a From: header containing an eBay address, and
the replay to send that message to third parties. Now, your email will
displayed to (some) recipients as an authenticated email from eBay. Note,
the problem is that the MUA is saying the message is Authenticated, but
user is doing reputation assignment based on the (incorrectly) displayed
Yes, that is more like the attacks that I have been worrying about. But I
don't see what you gain by be "sending it to yourself". Is that supposed
to cause it to pick up some signature on the way? If so, then it certainly
won't pick up an ebay signature (though it might be a useful technique if
it was Yahoo rather than Ebay you sere trying to attack).
But yes, getting a valid signature on it (even the phisher's own
signature) is sufficient to prevent any ADSP lookup happening, and the
main aim is to avoid getting caught by ebay's 'discardable'.
Actually, I'm not sure this is different from just sending email with a
spoofed From: header, though the dual header attack might be more useful
a phisher who has access to a system which, for example, won't sign
I would think any competent phisher can find a system to generate whatever
he want to generate. But a simple (unsigned) message with a spoofed From:
header will get trapped by an ADSP 'discardable' (modulo the problem that
ADSP doesn't actually specify which of several From: headers to look at,
though most ADSP implementations will likely just look at the first).
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
NOTE WELL: This list operates according to