ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] list expanders (was Re: chained signatures, was l= summary)

2009-06-16 09:28:39
On Mon, 15 Jun 2009 10:58:14 +0100, Charles Lindsey 
<chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk>
wrote:

And every list will be diferent, so we need to look at real examples. And
by a strange coincidence, we have just seen a concrete example on a list
well-known to all of us. Here it is, including all headers that appear
relevant, so let us now discuss how the list manager handled this
particular case, and whether he has left enough evidence for us to work
out how this evident spam got onto the list, and whether he could have
done things any differently.

Actually, ignoring the embarassing issue of how the spam got through this
list's defences, and concentrating on the evidence left behind in the
headers, one can note that many things were actually done right.

+1. All the trace headers, including A-R and DKIM-Signature, were left in
place, both by the list manager, and by the subsequent sites that
processed it before it was delivered to me. For sure, other headers
inserted by the list manager (all the List-* for example) were inserted
amongst the headers of the original, but that seems to be quite customary.

+2. The list manager observed a valid DKIM signature on the arriving
message and, knowing he was about to break it, recorded its validity in an
A-R header.

+3. The list manager inserted his own Sender header, as is customary (it
remains unknown whether there was an earlier Sender that was removed).

+4. The list manager DKIM-Signed the message as it left him, which seems
to be the expected practice.

+5 His signature covered the customary "important" headers from the
original message (Date:To:From:Message-ID:MIME-Version:Subject:Reply-To)
(not sure that MIME-Version is really "important", though).

+6. His signature covered (most of) the headers he had added, notably
List-*, Sender and Content-Type (which was changed from the original).

So there remain only two things he did _not_ do, which he might have done:

-7. His signature did NOT cover the A-R he had added (so we have to assume
that it was not an artefact by the spammer, although it most certainly
SHOULD have been removed if it was). So we may well "believe" the list
manager had put it there, but it would be nicer to have had some proof.

-8. The list manager did not retain the original (and now broken) original
signature. Tnere are certainly some on this list who would have preferred
to see it left ("for forensics").



-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>