ietf-asrg
[Top] [All Lists]

Re: [Asrg] antiphishing idea

2011-11-17 15:38:45
On 11/17/2011 02:58 PM, Martijn Grooten wrote:
Domains should have to publish in their DNSs the message-id (among any
other thing) through a TXT or A record of any legit mail sent by them.
The TTLs of those records can be adjusted to compensate for queued
mails, etc.

I take it you mean the message-id is somehow converted into a domain name and 
a DNS lookup is performed against that DNS and if the A or TXT record for 
that domain is some kind of affirmative value, this means that this is a 
'valid message-id'?

I got the impression from the original that he was not doing that, and
looking up the _whole_ Message-ID.

Which implies rather more tightly coupled MTA/DNS servers than is
probably feasible.  High volume mail servers would have a horrendous
problem with DNS bloat and at the same time, require very low TTLs.  Ouch.

Even if you only used a domain name same problem.

There's no easy transition either - you'd never know if whom you were
doing these queries actually implemented this stuff, and NXDOMAIN could
mean either "BAD! BAD! discard!" or "I don't implement that feature".

I've got many doubts about this: do people who fall for such scams care about 
the value of From? Doesn't this have the same issues as SPF -all and ADSP? 
Does this scale? But my most important concern is: wouldn't it be trivial to 
perform a relay attack using this method?

It's trying to make "SPF -all" survive forwarding, but not as well as
DKIM would (absent message mangulation).

When you receive a mail from A and "aparently" from B you can query A
and B DNSs looking for the message-id the mail has. If you have a
nxdomain or whatever error from them you can score the mail as
phishing! ..on the other hand if you have a hit from at least one of
them you can be confident that this is the real domain that sends that
mail or it sends it on behalf the real address!

I don't get this. Are you saying that if I send an email with MAIL FROM: 
example.com and Header From: paypal.com and the message-id on example.com 
that I can then get this message-id validated simply because I happen to 
control example.com?

He's suggesting asking _both_ A and B.  So both paypal.com and
example.com would have to say "Yup, I know that Message-ID".

So, you'd have to control example.com and have one (presumably recent)
sample Message-ID from paypal.com, and you could send as many as you
want with any contents you want.

[Few (if any) MTAs enforce unique Message-IDs on inbound email.]

Neither SPF or DKIM are perfect, but it behooves us to not try to
bandaid their defects with something like this.  Patching a hole in a
submarine with window screening comes to mind as a suitable analogy ;-)
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>