ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] Is there anything good enough? - Spoofing stats

2003-05-08 10:43:07
from [Scott Nelson] [Permanent Link] 
At 09:05 AM 5/8/03 -0600, Vernon Schryver wrote:

No, you are falling for the intentional misrepresentation or lie that
is labelling mail that comes from one domain with another domain as
sender as "forgery."  That lie is intended to cause you to misunderstand
what is being abused and by whom.



I think that when I write "scott(_at_)spamwolf(_dot_)com" in the mail envelope 
and/or message headers it is not forgery,
regardless of what IP I send through when I do it.
But if a spammer (or anyone else) wrote "scott(_at_)spamwolf(_dot_)com" in the 
mail envelope and/or message headers then it would be.

More abstractly;
Putting "yourname(_at_)example(_dot_)com" in a message implies that you are 
able 
to receive email sent to "yourname(_at_)example(_dot_)com" and that if you are
not, then your are in fact, forging "yourname(_at_)example(_dot_)com"

Normally, I'd say the best approach to detecting forgery 
would be the direct approach.
I.e. if you want to know if the sender can read email sent to
"yourname(_at_)example(_dot_)com", then you should send an email to
"yourname(_at_)example(_dot_)com" and ask.
(Most challenge response systems are based on this exact idea.)
However, the cost of that is much larger than it appears on
the surface.



RMX and the related DS proposes a method with a much lower cost.
They are not as good as other systems, but the theory is that they
do not cost as much to implement, so they might be a reasonable
in terms of cost/performance.


If we limit the cost by refusing to change existing practices, 
then they can not distinguish forgery from the standard practice
of using an arbitrary IP to inject email.  (They also can not distinguish 
forgery from the standard practice of forwarding email, and mailing lists,
but there are some low cost methods of dealing with those.)

In that context, I will now repeat something I said earlier;
If the IP of the sender matches an RMX record of the domain,
then it's a good bet the message is not a forgery.
If the IP of the sender does not match an RMX record of the domain,
or there is no RMX record, then all bets are off.


If, on the other hand, we assume that we are going to impose changes
in existing standard practices, then RMX/DS are no longer low cost
proposals.  Depending on what sort of changes we propose, the
ability to detect forgery can be quite good, but I claim the cost 
spirals out of control rapidly.


Scott Nelson <scott(_at_)spamwolf(_dot_)com>

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] Is there anything good enough? - Spoofing stats, Vernon Schryver
Next by Date:  Re: [Asrg] Re: RMX evaluation, Alan DeKok
Previous by Thread:  Re: [Asrg] Is there anything good enough? - Spoofing stats, Alan DeKok
Next by Thread:  [Asrg] Re: Washington Post: Earthlink to Deploy a Challenge-Response System for Fightin, John Fenley
Indexes:  [Date] [Thread] [Top] [All Lists]