ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Underscore considerations

2006-06-08 17:54:11

On Jun 8, 2006, at 5:08 PM, Michael Thomas wrote:

Even if you could, and even if a registrar were boneheaded enough to shoot their own foot, how hard could it possibly be for a DKIM verifier to enumerate the TLD's and not accept selectors from that set of blacklisted _domainkey
delegations? Am I missing something?

Imagine a large corporation issues private keys to everyone under their highest level domain. Why? Because it is easy, which is the justification made for the 'i=' subdomain feature in the first place.

These individual users can specify any subdomain where perhaps their localpart is restricted and still have it annotated as verified. Now some of these keys are captured by the new worm affecting some program. Spammers can now send valid email messages using billions of different email-addresses all thanks to the convenience provided for transmitting messages with the i=(_at_)subdomain feature.

This allows any of the following email-addresses to be validated:
Joe Blow <joe(_at_)big-company(_dot_)com>
President and CEO <joe(_at_)accounts(_dot_)big-company(_dot_)com>
Directory of Finance <joe(_at_)staff(_dot_)big-company(_dot_)com>
Babe <joe(_at_)ducks(_dot_)big-company(_dot_)com>
Sam Spade <joe(_at_)cats(_dot_)dogs(_dot_)sheep(_dot_)big-company(_dot_)com>
Julie <joe(_at_)whips(_dot_)chairs(_dot_)big-company(_dot_)com>
JC <joe(_at_)wiggle(_dot_)shake(_dot_)big-company(_dot_)com>
Director 
<joe(_at_)more(_dot_)of(_dot_)the(_dot_)same(_dot_)big-company(_dot_)com>
Accounting 
<joe(_at_)still(_dot_)more(_dot_)of(_dot_)the(_dot_)same(_dot_)big-company(_dot_)com>

The recipients of these spams will need to look at the key selector to block the onslaught and still communicate with big-company. It would not be simple to block by email-address, thank you very much.

-Doug


_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html