On Jun 8, 2006, at 5:08 PM, Michael Thomas wrote:
Even if you could, and even if a registrar were boneheaded enough
to shoot
their own foot, how hard could it possibly be for a DKIM verifier
to enumerate
the TLD's and not accept selectors from that set of blacklisted
_domainkey
delegations? Am I missing something?
Imagine a large corporation issues private keys to everyone under
their highest level domain. Why? Because it is easy, which is the
justification made for the 'i=' subdomain feature in the first place.
These individual users can specify any subdomain where perhaps their
localpart is restricted and still have it annotated as verified. Now
some of these keys are captured by the new worm affecting some
program. Spammers can now send valid email messages using billions
of different email-addresses all thanks to the convenience provided
for transmitting messages with the i=(_at_)subdomain feature.
This allows any of the following email-addresses to be validated:
Joe Blow <joe(_at_)big-company(_dot_)com>
President and CEO <joe(_at_)accounts(_dot_)big-company(_dot_)com>
Directory of Finance <joe(_at_)staff(_dot_)big-company(_dot_)com>
Babe <joe(_at_)ducks(_dot_)big-company(_dot_)com>
Sam Spade <joe(_at_)cats(_dot_)dogs(_dot_)sheep(_dot_)big-company(_dot_)com>
Julie <joe(_at_)whips(_dot_)chairs(_dot_)big-company(_dot_)com>
JC <joe(_at_)wiggle(_dot_)shake(_dot_)big-company(_dot_)com>
Director
<joe(_at_)more(_dot_)of(_dot_)the(_dot_)same(_dot_)big-company(_dot_)com>
Accounting
<joe(_at_)still(_dot_)more(_dot_)of(_dot_)the(_dot_)same(_dot_)big-company(_dot_)com>
The recipients of these spams will need to look at the key selector
to block the onslaught and still communicate with big-company. It
would not be simple to block by email-address, thank you very much.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html