On Fri, 18 Jan 2008 16:27:07 -0000, Arvel Hathcock
<arvel(_dot_)hathcock(_at_)altn(_dot_)com> wrote:
hi Jim (and everyone)!
> I'm still missing a suggestion for what we use when the Sender header
> field does not match any of the addresses in the From. Do we then
> revert to First Author? All Authors?
The idea of checking SSP on up to N From: domains is the only suggestion
I've seen so far and I can't think of anything better.
And indeed it is the only one that will even work.
Suppose the Bad Guy owns the domain n.tv (and maybe got it through a dodgy
registrar willing to take his money and ignore his subsequent badness).
Suppose he has a signing key for that domain, properly registered in the
DNS, and maybe he even publishes an SSP, with the 'strict'est possible
policy.
He sends mail with
From: "Natwest Bank Security"@n.tv,
<security(_at_)natwest(_dot_)co(_dot_)uk>
(I chose Natwest, because it is the current prime phishing target in *.uk
at the moment). Suppose Natwest has published the 'strict'est possible SSP
- it has no effect because, as the Bad Guy knows, only the first From
address is looked at ...
So the ONLY method that will work is to lookup the SSP for ALL the From
addressas AND the Sender as well (though usually the Sender will already
be covered somewhere in the From). And there better be signatures to cover
ALL of the SSP policies that show up.
A few commments:
1. We all agree that multiple From addresses are rare in practice, so the
burden of the extra DNS lookups will hardly matter.
2. Unless someone tries to do a DOS attack against the DNS system that way
(but there are easier ways to DOS the DNS system). A little common sense
by verifying agents should prevent such attacks.
3. If Amazon and Ebay (both with 'strict' policies) want to send out a
joint message From: them both, then it will need to be signed by both of
them. How they arrange to do that is their poblem :-).
4. With this sort of system, it may be necessary to rethink just what
policies we choose to be able to express in the SSP.
So, if the SSP algorithm returns Suspicious for any one of the domains
found in From: then let that be the final SSP result (in fact, further
SSP checks could be skipped at this point). In other words, if even one
of the domains listed on the From: requires a verifiable signature and
that signature is NOT present then the message is Suspicious even if the
result of SSP for one or more of the other domains is non-Suspicious.
+1
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html