Over DKIM's development span, bot-net behaviours have changed and are
becoming more stealthy. Much of this change may be in reaction to
greater proportions of IP address space being blocked. As a result,
an increasing proportion of bot-net originated spam is sent through an
ISP's outbound server by exploiting accounts obtained from bot-net
0wned customer's machines, rather than directly from the 0wned
machine. Unfortunately, ADSP's current Author Signature definition
depends upon the ISP either affirming the identity of the Author or
leaving the "on-behalf-of" identity blank and ambiguous. This is a
tragedy.
Bot-nets are related to accounts held by 0wned machines that often
serve more than one individual. The current definition of the Author
Signature will necessitate a change in how access to outbound services
are obtained to conform to a the Author Signature definition that
requires an author's identity to be affirmed or left blank. Instead,
the "on-behalf-of" identity parameter should be able to indicate how
the outbound service was accessed and thereby accommodate today's
diversity of access solutions. In addition, it should be possible for
the ISPs to obfuscate this "on-behalf-of" indicator to better protect
the privacy of their customers, while at the same time enable third-
party feed-back as to the source of their intra-domain bot-net problem.
It is extremely important not to confuse the domain seen in the author
email address, with that of individual authors. Although DKIM allows
a domain to authenticate and affirm an Author Address using the "i="
parameter, this is just an option. The Author Address (local-part)
and the domain must always be annotated separately when some assurance
is shown to recipients. The need for a separate annotation of local-
part and domain is not affected by changes to the Author Signature
definition. ISP's should be allowed to advertise that they sign every
outbound message without causing their signatures that indicate an "on-
behalf-of" identity reflecting an account rather than an Author
Address from being considered invalid with respect to ADSP
compliance. Conversely, it would be negligent to annotate or treat a
message as being signed when a key with a restrictive local-part
template fails to match against the Author Address regardless of any
ADSP advertisement.
Jim has suggested that providers can add multiple signatures whenever
they have a desire to indicate an "on-behalf-of" identity that is not
that of the Author Address. Unfortunately such requirement would
increase the average message size, and double DKIM's resource
overhead. In other words, Jim's suggestion is simply not practical.
The current Author Signature definition will result in DKIM being much
less effective against an ever growing bot-net problem. Bot-net 0wned
machines are not just a threat to email, they threaten all aspects of
the Internet.
DKIM can be effective against this menace, but only when the "on-
behalf-of" identity is allowed to reflect how access to the outbound
service was obtained. This change will still inhibit phishing, and
when access is dependent upon the authentication of the Author
Address, this too can still be made apparent regardless of the Author
Signature definition.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html