On Tue, 17 Jun 2008 23:51:24 +0100, Douglas Otis
<dotis(_at_)mail-abuse(_dot_)org>
wrote:
On Jun 17, 2008, at 3:41 AM, Charles Lindsey wrote:
But we are concerned with cases where the domain has NO DNS record
and hence, by definition, no ADSP assertions are available. So who
cares or knows whether the domain being spoofed was LOCKED, CLOSED
or OPEN?
When a domain represents a 'Reserved' TLD (per RFC2606) or per Frank's
http://tools.ietf.org/html/draft-ellermann-idnabis-test-tlds-04
Even so, Frank's list still needs to be extended to include names like
".local" and perhaps ".nntp" to permit address converters a safe mode
of operation. Nevertheless, these considerations are independent of
ADSP and DKIM. This is about what might be acceptable as a domain
within an email-address carried by SMTP message headers.
Sure, I am happy for our draft to omit the existence test in the case of
some class of non-TLD domains, and we can discuss what to include in that
class (the consensus now is to "modiffy" the present wording, anyway). But
it only partially solve the problem, because scammers will still attempt
to use non-existent domains ending in .com and the like.
ADSP must be
defined as pertaining to messages carried by SMTP, or its assertions
are meaningless.
And that is a departure from your pevious stance, since if ADSP pertains
to messages "carried" by SMTP, then it pertains to messages arriving at a
Verifier via SMTP (whether or not they were originally created in an SMTP
environment).
... ADSP might wish to indicate a need to adopt
addressing conventions defined in a separate draft intended to place
limitations upon addresses found in headers carried by SMTP. This
effort would be for the general good by reducing the level of fraud.
But ADSP needs to stand or fall on the basis of its own draft, and not to
be dependent for its success upon some mythical future draft.
If the scammer writes
From: info(_at_)ebuy(_dot_)com
and verifiers allow this through because, as you seem to suggest,
that message might have come from some MS Exchange system which had
assigned info(_at_)ebuy(_dot_)com as an SMTP proxy address, and the Verifier
has no way of recognizing this situation, then the whole of ADSP
becomes pointless, and it would be a waste of time for the REAL
ebay.com to DKIM-sign anything or to publish a LOCKED ADSP record.
Perhaps @staff.example.com would be more typical, since often a
principal domain supports SMTP.
Sure, it would be more typical of "normal" usage, but scammers are not
"normal" users :-) .
The only way that ADSP can work is for Verifiers to be instructed
that anything that _looks_ like an SMTP message (in fact, anything
that complies with RFC 2822) is to be treated as if every non-
existent domain was LOCKED. Which is exactly what our drafts and the
current WG consensus seems to be saying.
Agreed. But this would be a change to SMTP, and is not limited to
domains currently considering DKIM and ADSP, which takes this well
beyond the DKIM WG.
On the contrary, ADSP is alrerady a change to SMTP, since it is
encouraging (to say the least) sites (i.e. verifiers) to drop, or at least
to interfere with, what are currently perfectly normal SMTP messages.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html