ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Discussion of Consensus check: Domain Existence Check

2008-06-17 04:27:34
from [Charles Lindsey] [Permanent Link] 
On Mon, 16 Jun 2008 15:51:07 +0100, Douglas Otis 
<dotis(_at_)mail-abuse(_dot_)org>  
wrote:


Protection depends upon which ADSP assertion is made.  A LOCKED
assertion will cause a message to be dismissed when ADSP compliance is
enforced.  Acceptance of messages with invalid signatures from mailing
lists or those that appear to have been "converted" from a different
transport could be fairly typical when the ADSP assertion is CLOSED,
however these messages would not bypass other typical message
screenings.  Scoring or annotation for CLOSED assertion messages with
invalid signatures is also likely to place these messages into a
different recognizable category that improves the quality of the
screening process.


But we are concerned with cases where the domain has NO DNS record and  
hence, by definition, no ADSP assertions are available. So who cares or  
knows whether the domain being spoofed was LOCKED, CLOSED or OPEN?

If the scammer writes
    From: info(_at_)ebuy(_dot_)com
and verifiers allow this through because, as you seem to suggest, that  
message might have come from some MS Exchange system which had assigned  
info(_at_)ebuy(_dot_)com as an SMTP proxy address, and the Verifier has no way 
of  
recognizing this situation, then the whole of ADSP becomes pointless, and  
it would be a waste of time for the REAL ebay.com to DKIM-sign anything or  
to publish a LOCKED ADSP record.

The only way that ADSP can work is for Verifiers to be instructed that  
anything that _looks_ like an SMTP message (in fact, anything that  
complies with RFC 2822) is to be treated as if every non-existent domain  
was LOCKED. Which is exactly what our drafts and the current WG consensus  
seems to be saying.


To ensure ignored domains do not offer a method to spoof addresses,
defining which recognizable domains should be ignored must be
accomplished.  ...


Then show us how to accomplish it.


... Again, such definitions should be done in a different
draft since this has nothing to do with DKIM or ADSP.


But if what you propose is fundamentally impossible (as appears to be the  
case), then pretending that some different draft will miraculously solve  
that problem and close the loophole does not seem like a wise way to  
proceed.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] I-D.kucherawy-dkim-reporting, Frank Ellermann
Next by Date:  Re: [ietf-dkim] Consensus check: Domain Existence Check, Stephen Farrell
Previous by Thread:  Re: [ietf-dkim] Discussion of Consensus check: Domain Existence Check, Douglas Otis
Next by Thread:  Re: [ietf-dkim] Discussion of Consensus check: Domain Existence Check, Douglas Otis
Indexes:  [Date] [Thread] [Top] [All Lists]