On Mon, 15 Aug 2005, George Gross wrote:
I should also point out that AFAICT a DKIM e-mail signature does not
protect against the "revolving door" signature identity problem. It
erronously presumes that all DNS registry entities are not the economic
allies or suppliers for spammers. It would be feasible for such a
registrar to automate the domain name generation process on behalf of its
spammer customers. Once such a domain name's reputation becomes tarnished,
it is discarded and the co-conspirator DNS registrar issues a new one to
take its place. I see this attack (and I suspect that there are others
that one can discover) as a fundemental problem with the proposed e-mail
security architecture.
There's a lot more information available about domain names than about IP
addresses, e.g. via whois, via the domain's NS records, etc. This
information can be used to bootstrap a reputation in a way that defends
against the use of throwaway domains by spammers.
Tony.
--
f.a.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
BISCAY: WEST 5 OR 6 BECOMING VARIABLE 3 OR 4. SHOWERS AT FIRST. MODERATE OR
GOOD.
_______________________________________________
ietf-dkim mailing list
http://dkim.org