On Apr 28, 2008, at 9:02 AM, J D Falk wrote:
Al wrote:
Without any sort of assumption or ability to limit what's allowed
under spamresource.com, I think ADSP is much less useful. My
concern is that if I can't restrict or cause failures automatically
outside of a specific subdomain or host, it does me little good to
sign on signed.spamresource.com when a phisher can fake
signed2.spamresource.com and not automatically be failed by
checking sites.
It /will/ automatically be failed by DKIM (bad or no signature being
equivalent), and by any modern anti-spam system (because the host or
domain doesn't exist.) I can't imagine any situation where an MTA
administrator will choose to disable all other checks, and rely
solely on ADSP.
J.D.
Bad actors are still able to spoof (unsigned) messages from
mx01.sfo.example.com, even when example.com publishes ADSP policy at
_adsp._domainkey.example.com. Unless a recipient attempts to make TCP
connections to port 25, mx01.sfo.example.com will appear as a valid
source within example.com. A potential spoofing problem still exists
against hostnames found within the ADSP protected domain. A solution
that avoids doubling the number of DNS transactions for each email
received requires domains seeking protection to publish ADSP records
at every hostname.
Adopting an MX requirement for SMTP public exchanges is yet another
solution that also scales for any number of policies without mandating
replicate policy records at every hostname. Public exchanges over
SMTP should expect the presence of MX records. However, private
exchanges should not depend upon DNS. This remains an interesting
problem. : )
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html