On Sun, 2005-08-07 at 12:38 -0700, Michael Thomas wrote:
I agree. I think that the thing that really ought to
be proven here is whether "replay" is a real threat or
not.
If replay does become a problem, then what is the response? Should
large domains then issue user-keys to everyone? If DKIM is to be
beneficial, it must serve in deciding whether to accept email on the
basis of the signature being verified. The value of this acceptance is
reduced when a signature must also be checked against a third-party
clearing house to decide whether this represents a message being
abusively replayed.
The majority of the messages signed will likely not be bound to any
email address seen by the recipient. Make a convincing case why a
signature matters when only an accountable domain is determined.
At this point, it is purely academic and I think we
have a pretty spotty track record of determining what the
miscreants next steps will actually be. For one, it's not
clear that if domains -- in an effort to maintain their
reputation -- start spam-filtering their outbound mail,
you'd reduce the effectiveness of the so-called replay
attack by about 2 orders of magnitude.
The spammer would be sending the messages to themselves. If they used a
service that "pre-tested" the quality of their efforts using outbound
filters, then this would only benefit the spammer. They only need to
accumulate enough versions of their spam before moving on to a different
account. They would change accounts when they start their replay
tactics. Replay would be used to plunder the reputation value that may
exist in having the message signed. There is no way to train the filter
as these will be unique messages. I would be surprised if an outbound
filter technique would even noticed a small percentage of such messages
when done by a clueful spammer.
It seems to me that it's pretty likely that they'll find something
else to do if that scenario plays out.
The spammer will still be able to accumulate enough emails to stage a
replay attack with or without an outbound filter. In fact an outbound
filter ensures that a replay attack will be the avenue left open for
abuse.
While John Levine wants mailing lists to re-sign their messages to
permit repeat thresholds on the same signatures, there would also be
advantages for mailing list to not re-sign an already signed message.
Leaving the signature unchanged helps from the perspective of taking the
problem to its source, without a list administrator needing to become
involved. There will also be a need to handle existing mailing lists
that simply explode a list.
From a perspective of detecting a replay attack using a revocation-
identifier, the primary means will be by checking a bad-list on the
signing domain, when the message appears to be from a different domain
as determined by the HELO. The bad-list would be created from abuse
reports or feed-back channels motivated by a desire to protect their
reputation.
The information placed in the bad-list may be confirmed by the signing
domain by examining logs for the account identified by the revocation-
identifier. If there is no evidence of replay or sending abuse, then
there may be reason to believe a message was sent to a few individuals
which may have been sufficient for them to become tagged as a spammer.
In this case, it may be better to warn the account about how their
messages are being received. If such messages were sent to a list, then
there would be less grace provided, which seems appropriate.
-Doug
_______________________________________________
ietf-dkim mailing list
ietf-dkim(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/ietf-dkim