----- Original Message -----
From: "Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org>
To: "Frank Ellermann" <nobody(_at_)xyzzy(_dot_)claranet(_dot_)de>
On Sat, 2006-08-26 at 14:54 +0200, Frank Ellermann wrote:
Stephen Farrell wrote:
But yet again, each form of delegation has its issues.
Right, but those forms where the delegator can delegate
without prior and explicit consent of the delegatee are
beyond my no-nonsense limit. Ideally "explicit" should
allow receivers to verify this.
If an ISP uses a "we sign everything" strategy, and many
customers belong to botnets, then a "bad actor" could
register eboy (with an "O"), delegate eboy-signing to this
ISP unilaterally, and phish using his zombies with accounts
at this ISP. SSP shouldn't allow this by design.
A bad actor can register look-alike domains and added their own DKIM
signature sent through any number of providers. Designation does not
make this problem worse. With the entire email-address being
internationalized, a problem of visual recognition must be handled
through other strategies.
What Frank is saying is the ISP.COM has all power to control this and
protect his users from direct DKIM phish attacks in a very elegant and
graceful manner using SSP.
Example:
The phisher uses eboy.com and creates a SSP policy (using a DSAP syntax):
DNS TXT: _policy._domainkeys.eboy.com
op=never;
3p=always;
3PL=isp.com;
The phisher has harvested hundreds or even thousands of users at ISP.COM and
he knows ISP.COM always signs mail.
The phisher sends mail to the ISP local users. No SMTP authorization is
required because it is local mail (not routed). That's BCP.
In the bare bone DKIM-BASE ISP implementation:
The ISP signs the message and delivers it to local users. DKIM PHISHING
LOOPHOLE!
In the "not so smart" SSP Ready ISP implementation:
The ISP signer will check the From address SSP policy and it will see that
it is designated as an authorized signer. It continues to sign and delivers
the mail to its local users. DKIM PHISHING LOOPHOLE!
In the "Smarter" SSP Ready ISP implementation:
The ISP.COM should have his own list of domains the ISP will sign for to
check against. The ISP will check the From address SSP policy and it will
see that it is designated as an authorized signer. However, if EBOY.COM is
not in the ISP list of domains he is signing for, then it should not accept
this message or see it as suspicious. DKIM Phishing Problem Solved!! The
ISP's users are protected and EBAY is indirectly protected too.
To maximize protection all 3rd party signers should check the originating
domain SSP policy to see if it is allowed to sign.
--
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html