Charles Lindsey wrote:
On Mon, 04 Oct 2010 23:24:11 +0100, President Obama
<obama(_at_)whitehouse(_dot_)gov>
wrote:
THIS IS A MULTIPLE 5322.FROM SPOOFED MESSAGE
Interestingly, my MUA (Opera) displayed both of those From headers, But I
can quite well understand that many other MUAs don't, and even where they
do I would expect many phishees would not notice the second one.
Authentication-Results: dkim.winserver.com;
dkim=pass header.i=mipassoc.org header.d=mipassoc.org header.s=k00001;
adsp=none author.d=whitehouse.gov signer.d=mipassoc.org;
And for ADSP, our verifier picked up the first (top) 5322.From domain
as well. Since I whitelist mipassoc.org, I get all its output.
Mind you, that I had to do this twice to get a copy because I had
already added a multiple 5322.From rejector script at the SMTP DATA
session. I had to turn it off and repeat it to get a copy that I see
here from spoofed "President Obama".
So the 5321/5322 filtering layer approach works fine (but we lose
interesting mail <g>). But I would not have done this if I was not
made aware of this problem by Alt-N who discovered this security hole.
And that is the main gist of this, and I don't care how the IETF cats
wants to do this:
Engineering AWARENESS must be added to the 4871bis.
--
HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html