ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Re: New Issue: 4.2 needs new Attack Item: InconsistentSignature vs Policy Attacks

2006-02-02 08:14:07

----- Original Message -----
From: "Frank Ellermann" <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de>
To: <ietf-dkim(_at_)mipassoc(_dot_)org>


Hector Santos wrote:

80-84% of all SPF policies seen by SMTP receivers are NEUTRAL
(relaxed) policies.  Among these, atleast 60%, are Bad Actors
exploiting a RELAXED domain policy.

It's not possible to "exploit" NEUTRAL, as it's by definion the
same as NONE.  What's so unusual with 60% spam ?  Apparently a
bit lower than the average.  As with DKIM the only real exploit
is a PASS from a white-listed source.

Good points. It would had been better to just say relaxed policies, in
the case of SPF; Neutral, SoftFail.

The issue of PASS is true. Why should we trust it?

But we don't have must more we can do here but to apply or augment
optional and non-standard tracking concepts.

However, what you want to make sure you don't allow fall thru the cracks
are the mix policy and protocol inconsistencies, and that might include
mixing DKIM with other methods as well at the implementation level.  But
at the very least, the protocol level.

The overall goal, atleast from my (SSI) perspective, is providing
consumer confidence in your product offerings. And that includes doing a
diligent job in making sure what you are offering has a high payoff, it
is transparent as much as possible and has no vulnerabilities ignored or
neglected.

The first goal is to make sure that the "rules" are followed as it is
expected to be followed.  Any fault detected, in whatever form that may
be, is how your protection is realized.  When the rules are relaxed,
fault detection is minimized.

--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com







_______________________________________________
ietf-dkim mailing list
http://dkim.org