On Mon, Dec 08, 2003 at 03:35:28PM -0500, Yakov Shafranovich wrote:
The signature attests to the fact that the domain name or server from
which the message originated, is not forged.
*lol*
I don't see any more security here as with a "paranoid" dns lookup.
If I do a reverse DNS lookup and get a name and do a lookup of the name
and get the IP I can assume#1 that it is correct.
#1 with drawbacks as to DNS spoofing and DNS security.
Now, if the sending MTA has a signature on the message and I use DNS
to get the public key to verify the signature #1 from above still
applies. So the win for using PKI and not paranoid DNS lookups is zero.
If people don't get simple things right like a correct HELO hosts and DNS
for their mailservers, does anyone seriously believe they will get
PKI working? I surely don't believe that.
On one of our mailservers out of 143013 connections 66619 had
non-matching HELO hosts sent. That's about 47 percent. Any more
questions? Oh, and no, it's not only evil spammers:
smtp5.wanadoo.fr:193.252.22.26 HELO mwinf0502.wanadoo.fr
daedalus.apache.org:208.185.179.12 HELO mail.apache.org
nlpproxy03.prodigy.net.mx:148.235.52.23 HELO smtp.prodigy.net.mx
sc8-sf-sshgate.sourceforge.net:66.35.250.220 HELO
sc8-sf-netmisc.sourceforge.net
mxpool16.ebay.com:66.135.197.22 HELO mx40.sjc.ebay.com
That's a kewl one: mx40.sjc.ebay.com -> 10.6.182.160
leaking RFC addresses to the public Internet
smtp05.web.de:217.72.192.209 HELO smtp.web.de
datatracker.ietf.org:132.151.6.22 HELO optimus.ietf.org
pluto3.daimler-benz.com:53.122.2.33 HELO daimler-benz.com
These few "well known names" were taken from a 10 minutes snapshot of the
mailer logfile.
But PKI always sounds kewl and wasn't it a nice press release for Yahoo
that made it all around the world?
Not too bad for some hot air, I'd say.
\Maex
--
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg