On Sun, 2005-08-07 at 18:17 -0400, John R Levine wrote:
If replay does become a problem, then what is the response?
Kick off the users playing replay games, I'd guess. Disregarding joe jobs
(which I see no reason to expect will ever be anything other than an edge
case) the sender has to be in cahoots with the person doing the replay,
you know who he is since you have his DKIM signed mail, so you whack him.
Canceling this account will not immediately stop the damage being done
by the abusive replay. In all likelihood, the miscreant has already
anticipated this reaction and is already collecting another series of
spams while issuing their replay for the duration of the key. This
should provide many days of unfettered spamming. Over a the year, a
spammer could issue replay attacks continuously, while perhaps only
compromising just 100 accounts.
Without some type of replay preventative, DKIM would make the spam
situation worse, as conventional techniques used to control abuse would
become ineffective, with perhaps the exception of repeated message
filtering techniques. Without some other means to control this type of
abuse, recipients would be reliant upon centralized clearing houses
where the hash of each message must be checked before accepting the
message.
Looking for repeated messages within email queues, a technique used by
email filtering, will often misclassify spam in many cases. One such
case that may be misclassified includes mailing lists. This technique
will remain error prone even should mailing lists sign messages.
Perhaps mailing lists signing their own messages will reduce the size of
the white-list based upon the domain name. The white-list could be
simplified by being based upon the IP address, but this suffers the
problems of path registration. Repeated message techniques will always
require such a white-listing mechanism in those cases where messages are
repeated and yet are not spam.
While John Levine wants mailing lists to re-sign their messages to
permit repeat thresholds on the same signatures, there would also be
advantages for mailing list to not re-sign an already signed message.
I think every agent that sends mail should sign the mail they send, but I
am not so foolish as to think this will happen any time soon. Until then,
there will be many mailing lists whose behavior is technically
indistinguishable from a "replay attack." I'm still waiting for someone
to explain how you stop replay without also wrecking mailing lists, other
that by implausibly labor intensive approaches like manually whitelisting
every legitimate remailer in the world.
The damage done to mailing lists reputation may also be the effect of
collateral damage caused by other servers sharing the same IP address
space. Here DKIM could be beneficial. Most of these mailing lists are
responsive to abuse complaints and also confirm the subscribed mailbox
addresses.
Abuse must be dealt with promptly, if to remove the incentives. A
centralized clearing house of message hashes will likely need to utilize
the IP address to apply less complex white-lists. In other words,
reputation will remain a function of the IP address, where some of the
benefit of DKIM being independent of the IP address is lost. With this
approach, there are three items of information to be shared with the
clearing house. The clearing house would also be expected to track
billions of messages, rather than millions of sending servers.
With the use of the revocation-identifier and bad-list, this mechanism
would allow a reputation scheme be based exclusively on the domain name.
If the domain maintains their bad-list, then no other information needs
to be shared with the reputation service. No repeated message technique
would be needed. The recipient would not be reliant upon a massive
centralized per-message clearing house. The bad-list would also make
the domain signing the messages authoritative about classifying which
accounts are committing an abusive replay attack.
In addition, a third-party that specializes in detecting spam, perhaps
in conjunction with assessing reputations, would receive acknowledgments
via the bad-list. This is helpful, as the same non-replayed messages
may emerge from thousands of compromised systems. This would allow the
spam problem to be addressed incrementally, one account at a time.
Obviously, if a domain indicates that a particular account is replaying
messages, then IP addresses seen sending these messages becomes suspect.
Here, the replay attack in conjunction with the revocation-identifier
and bad-list actually exposes servers used by miscreants. Looking for
repeated messages, signed by the mailing list or by the initial sender,
will still require complex white-listing. A revocation-identifier in
combination with a bad-list avoids much of this complexity.
-Doug