ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: MASS/DKIM interim minutes posted

2005-09-12 12:27:49

On Sep 12, 2005, at 11:58 AM, Hallam-Baker, Phillip wrote:

Replay is an issue in the application of DKIM to real world problems.


This problem can impact virtually any domain signing messages. It will be a greater problem for providers that offer free mailboxes, as well as access providers that also offer outbound email services, largely due to the prevalence of compromised systems and networks. This could also be a problem for those that send bulk emails, when someone wishes to damage their reputation. These groups perhaps represent the majority of the email being exchanged.


Clearly there must be an answer to the replay issue, but it does not
follow that this must be developed in MASS.


I have attempted to clarify how DKIM can be structured to handle this problem with a minimal overhead, even without the use of HELO verification. HELO verification would be instrumental for defending resources.


The replay issue only really affects Web Mail hosts, there may be
something of an effect for some ISPs but I doubt it. In either case
controls to prevent bulk enrollment are likely to provide a sufficient
first line of defense.


Once a signature becomes a basis for accepting email, then rate- limiting techniques do not offer any protection. A miscreant only needs to send themselves the initial messages, where these can be "replayed" from other sources in any amount. Without a means to prevent this scenario, the domain signature will offer significantly less value as a basis for message acceptance.

-Doug

_______________________________________________
ietf-dkim mailing list
http://dkim.org

<Prev in Thread] Current Thread [Next in Thread>