DoS and Collateral Blocking
For large domains, a substantial portion of SMTP sessions are
rejected based upon reputation prior to the message exchange.
Rejection at this point conserves resources where, without this
defensive strategy, resources may not be available for desired email.
While DKIM provides a strongly verified domain name, this occurs
after a full exchange. A means to implement name based reputation
prior to the message exchange would be through the verification of
the EHLO. For DKIM to serve as a basis for acceptance, it must be
done in conjunction HELO verification to both conserve resources and
prevent collateral blocking.
Replay, Trojan, Mailbox Spoofing
Inclusion of an opaque-identifier within messages provides simple
revocation techniques that can be applied to abate abusive replays.
This opaque-identifier would assist in readily identifying sources of
Trojan related traffic. When the opaque-identifier is persistent
with the account, this would allow source-point identification to
permit recognition of prior correspondence.
Unlike easily exploited mailbox-domain authorization schemes, source-
point identification (SPI) can signal when a message is originating
from a new SPI. The recipient should then be exposed to the relevant
identifiers and asked whether these identifiers should be accepted/
replaced, merged, rejected, or removed. This checking could occur at
the MDA or the MUA or both. No additional DNS lookups are required
as all the relevant information is contained within the message.
Unlike mailbox-authorization schemes that attempt to rely upon
visible mailbox-addresses, the application of the SPI may follow
standard email header conventions and even track the pretty name.
The use of the SPI rather than mailbox-address authorization avoids
selection algorithm conflicts and a great deal of administrative
overhead with related support issues. Users would be free to
continue normal email use without new restrictions applied. With the
SPI approach being more robust against exploits, it would offer a
more effective and safer mailbox spoofing deterrent.
The high overhead associated with resolving mailbox-domain
authorization prevents this mechanism being useful with respect to
DoS or an abuse abatement mechanism. The many exploits still
permitted by mailbox-domain authorization and the potential for mail
loss means authorization techniques used in conjunction with DKIM may
threaten deployment.
Opportunistic Security
The use of SPI would depend upon binding recommendations offered by
the signing domain. While some bindings could be created
automatically, these automatic bindings should not provide automatic
acceptance when the header is not visible (the RFC2822 From when at
the MDA). Any occurrence where a message from a prior "remembered"
correspondence appears to have been forwarded, should cause a prompt
asking for permission before creating relevant bindings. Within the
binding permissions prompt, the entire mailbox-address of the
pertinent header, and the signing-domain should be exposed to the user.
As an interim mode to prevent phishing at the MDA prior to the
development of a user interface that asks for binding permissions, a
binding mode could be created that does not allow the resending of
wide bindings. Eventually, this should be replaced with a mode that
creates a mail queue holding messages pending binding approval or
rejection. At some point, it may be assumed these bindings are
always done at the MUA.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org