[Top] [All Lists]

Re: a header authentication scheme

2004-11-02 10:12:31

In <200411010819(_dot_)33184(_dot_)blilly(_at_)erols(_dot_)com> Bruce Lilly 
<blilly(_at_)erols(_dot_)com> writes:

On Sun October 31 2004 01:54, Laird Breyer wrote:

Given a message with a valid Received field; it's trivial; simply
construct a Processed field accordingly and insert it where
desired, eliding any preexisting "processed" field that corresponds
to the Received field.  W/o any Received field; forge one and
insert it and a corresponding "processed" field where desired.

I'm afraid none of this is yet convincing as a successful attack. 

You must be able to forge the Processed field before the message
contains the pertinent Received field, otherwise you're not actually
forging anything of value. In fact, quoting existing Received fields
is legal, and marks your location correctly. 

You have missed the points; at any point a party can
a) s/result-tag="spam"/result-tag="ham"/
b) insert a Received field, then insert a "processed" field referring
   to that Received field, with any desired "processed" field content
N.B. neither tactic would be effective if MIME security multiparts
were used.

Please can you paint a more precise scenario?

Exacly where is the "any point" that you have in mind? If it is inside
your firewall, then your system has already been subverted and nothing is
going to protect you.

If it is inside your ISP's systems, then your ISP has already been
subverted and nothing is going to protect you.

If it was done somewhere before the message reached your ISP, and you
trust your ISP not to have gone rogue, then you can trust your ISP to have
added his Received header (and maybe his Processed header) at the front of
the message, in which case who cares what the spammer may have put there
earlier on.

If it was done by intercepting the transmission between your ISP and your
firewall, then indeed there is something to look into further. If that
link took the form of you interrogating your mailbox (POP3 or IMAP) on the
ISP's machine, then I don't know enough about the protocols involved be be
able to say, but I suspect it would be rather difficult for the Bad Guy to
make that intercept.

If that link took the form of an SMTP connection, then I think it is
generally possible for your system to detect the IP from which the packets
came, and check that they did indeed come from your ISP.

The whole point of Laird's scheme is that, the further back you go down
the chain of intermediate hosts, the less you can assume about the
reliability of what the headers are telling you. The particular case that
he is interested in is where he is using some filtering service provided
by his ISP (e.g. Spamassassin) and wants to be as certain as can be that
some other bogus filtering service has not been substituted instead.

AFAICS, his scheme does achieve that rather limited objective.

Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web:
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, 
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5