ietf-dkim
[Top] [All Lists]

Re: Not exactly not a threat analysis

2005-08-26 06:10:12

* william elan net:

On Wed, 17 Aug 2005, Tony Finch wrote:

There's a lot more information available about domain names than about IP
addresses,

I disagree.

And much of the data available for domain names is typically either
forged (owner information, for example) or volatile (name server
identity).

For through-away domains whois data is not reliable (and that just like 
with email there is no protection against using somebody else's address)

In addition, sometimes you can't get WHOIS data for such domains in
time, depending on the TLD.

and ns servers could simply be default ones provided by domain registrar.
OR often point to compromised machine (zombie, hacked server, compromised 
dns service, etc) and with changes introduced by Verisign this year they 
can now be quickly (within 15 minutes) changed whenever the compromised
machine is discovered and filtered (which is exactly what happens to
phish email used domains I've investigated).

Yes, that's exactly what I see as well.

In the end the most reliable way to detect and filter these domains is 
actually based on ip address of the the server hosting the website for
the advertised and used domain (for order taking). So I'm not at all 
certain that doing reputation on per-domain basis will be easy (in fact
I think it would be more difficult then on per-ip).

That's my current expectation as well.

The good thing is that for non-through away domains (those that have
been used for a while) the reputation can be accumulated overtime and
can be quite useful but it will take quite some time (years) before 
we're able to get to the point that this is possible (i.e. relying 
primarily on positive reputation score).

There's one situation were a standardized sender authentication scheme
is immediately useful: As a large mail provider (think Hotmail), you
want to pass legitimate bulk mail (e.g. DARTmail) to your customers.
With SPF and the other schemes, the mail provider can delegate
maintainance of authorization information (which IP address space
belongs to DARTmail's outgoing relays?) to the bulk mailer, and the
bulk mailer has to maintain this data just once, and not individually
for each mail provider.

In fact, SPF is already used in this way, to increase the amount of
legitimate spam in circulation.