On Oct 22 2004, Arnt Gulbrandsen wrote:
Step 1. I'd send five messages to nosuchuser(_at_)do(_dot_)ma(_dot_)in and
wait for the
bounces. For each of them, I'd compute the delay from my sending time
(using my clock) to the receiving MTA's receive time. Next, I'd average
the five values.
Step 2. I'd send the target a hundred messages or so, with a hundred
guesses centered around the average computed in step 1.
Assuming that 80% of mail from me to the target are delivered within the
range [t-50,t+50> seconds, I'd have an 80% chance of success.
A more sophisticated attack would use more initial probes and vary the
number of guesses based on the spread of the probed delays.
Should I bother to do it, or is the description persuasive? ;)
I think that works as a method. Looking at some mail archives I have
around, differences in received times are a few seconds at most in the
majority of cases (single digit), so you'd be realistically aiming for
[t-5, t+5> which gives a chance of success of 1/10 if you spread out
uniformly (slightly better if you know more about the distribution,
worse if you attempt to forge over two hops or more).
So the forgery detection based on time would be about 90% successful
at present. If microseconds were allowed, forgery detection would
improve to about 99.99% successful, ie only 1 in 10,000 forgeries
would fail to be detected.
So I agree with you, the received time on its own isn't such a good
idea at present, and the ID alternative is a better choice (except for
its optional nature). Similarly, combining the two (as in hashing the whole
Received: line) would give about x+1 digit protection, where x is the number
of digits provided by the randomness inherent in the ID.
Yet another way of inserting the requisite unguessability in a
Received line might be a specially formatted comment. This would not
require the ID, and if the comment was present, it would be a
guarantee of sorts from the MTA that the token is unguessable (so the
MTA authors would not have to change their ID scheme).
--
Laird Breyer.