dkim-ops
[Top] [All Lists]

Re: [dkim-ops] subdomain vs. cousin domain (when deploying"discardable")

2010-09-05 19:04:17
  On 9/4/10 10:04 AM, MH Michael Hammer (5304) wrote:
 Using a subdomain presents other issues but ones which I personally
 believe are likely more controllable.

Disagree.  There is no ADSP policy currently defined able to provide the 
protections being sought without forgoing use of mailing-lists for the 
entire domain down.

 The DKIM enforcement policies you refer to are as I understand self
 imposed ones. We had the "tree walking" discussion during both DKIM
 and ADSP development and the decision was to have each subdomain
 publish it's own records.

The TPA-Label draft avoids this issue by having either an MX or ADSP 
record override a domain-wide marking by ADSP of being the target of 
phishing attacks.  It is logical to assume such attacks will utilize 
sub-domains, where it is not possible to publish ADSP at each domain.  
Targeted domains marked with discardable might be retained as a wildcard 
within a local cache or in filtering rules to avoid walking down to the 
TLD.

 Paypal would have to deal with those parties it has made private
 arrangements with but that is the nature of changes that impact such
 arrangements. This is a much more controllable (if potentially time
 consuming) situation than dealing with the universe of endusers.

 The other issue is the fact that an element of risk is created
 because of the MLM issues related to breaking signatures. If it
 weren't for the MLM issue and possibly recipient use of vanity domain
 forwarding, it isn't clear how much meaningful signature breakage
 would occur for outbound Paypal mail regardless of domain.

When a discardable assertion is used, message loss becomes nearly 
impossible to assess.

 One question that comes to mind is whether the issue is centered on
 mailing lists or if there are broader issues. If it is centered on
 mailing lists, how broad is the need for Paypal employees to send
 mail through lists in furtherance of business needs (vs personal
 participation using a corporate account because it is convenient).
 Spending a little time analyzing this may provide some assistance in
 determining how to address the business needs.

 It would obviously be important to make clear to endusers that
 transactional mails are never sent from the corp.paypal.com
 subdomain.

When corp.paypal.com uses ADSP dkim=all, bad actors will then find their 
phishing attempts accepted. These messages might include misleading 
List-ID headers to seem to an MTA as having been handled by a 
mailing-list.  The recipient is unlikely to notice these additional 
header fields and therefore remain vulnerable to phishing attempts that 
they thought were from paypal.

 There is certainly an educational component required regardless of
 which approach is selected. Any time there is a change in behavior on
 the part of an abused domain it opens up the potential for abuse
 specific to the changes involved.

The TPA-Label scheme should be able to mitigate phishing without better 
educating users, engaging in private arrangements, or to have 
mailing-lists change their handling in ways that would make their 
messages visually indistinguishable from user to user email, and 
therefore a greater risk in distributing phishing attempts. While 
phishing affects a small percentage of domains, it represents a 
significant financial threat eroding the productivity email may have 
otherwise offered.

-Doug




_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops