ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Issue: Deployment Guide Section 6.1/6.5 (ADSP/Forwader) conflict

2009-10-23 11:49:49


--On 23 October 2009 10:29:17 -0400 "John R. Levine" 
<johnl(_at_)iecc(_dot_)com> wrote:

If, as I suspect, bad guys spoofing their way onto lists past admins
unwilling to do inbound filtering is not an actual problem, perhaps we
could agree not to waste time inventing mechanisms to solve it?

I don't think that's what people have been worried about. I think
they've  been worried about spammers adding list headers to messages, in
order to  remove the ADSP protection. There's also the possibility of
spammers  subscribing to lists. Still, a well managed list should have a
good  reputation, and I don't see much list abuse.

This strikes me as an even more arcane and implausible threat. Since
spammers don't add fake list headers to evade filtering now, why would
they start now?

Well, they won't do it yet. They may start to do it if it becomes hard to 
deliver email otherwise. With future widespread MSA, DKIM, ADSP and SPF, I 
think it's theoretically possible that all mail could be checked for 
authorisation some day. Therefore, spammers will need to look for ways to 
sponge off domains with good reputations (newly registered domains won't 
have good reputations). Forging list-id headers might be a way to do it.

Wouldn't the correct response be for lists to sign their mail to help
recipients recognize real list mail?  That has the advantage of requiring
no changes to any IETF document.


Absolutely.

I agree that we don't need additional mechanisms, but think we do need
better  clarity on the distinction betweem dkim=all and dkim=discardable.

Since ADSP is useless to the 99.99% of domains that are not phish targets
like Paypal (and probably useless even there), that would be an extremely
poor use of limited resources.  It would be much more useful to help
people who write and use list software get the lists to sign their mail
so you can whitelist real list mail from lists you know.

All sites with good email sender reputation are phish targets these days. 
We're seeing spear phishing attempts several times per week nowadays. 
Success generally results in web mail accounts being used to send 419 
scams, or further phishing. Phishers value our accounts enough that they'll 
enter an exchange of emails with a user in order to convince the user to 
give up a password.

I'm not sure that I can see a business case for anyone else to use our 
addresses in From: headers. Certainly not without prior arrangement, and 
DKIM delegation can allow that. So, I can see value in ADSP for our site.

Anyway, the point of clarifying the distinction is to prevent people making 
the mistake that you seem to be expecting them to make.

R's,
John



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>