ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] ISSUE: 4871bis-02 - Section 8.14 comments

2010-10-18 06:18:28
On Fri, 15 Oct 2010 15:48:05 +0100, Ian Eiloart 
<iane(_at_)sussex(_dot_)ac(_dot_)uk> wrote:

Here's a more interesting attack:

Compose an email apparently from eBay, and send it to yourself. Get a  
valid
DKIM signature, then add a From: header containing an eBay address, and  
use
the replay to send that message to third parties.  Now, your email will  
be
displayed to (some) recipients as an authenticated email from eBay. Note,
the problem is that the MUA is saying the message is Authenticated, but  
the
user is doing reputation assignment based on the (incorrectly) displayed
eBay address.

Yes, that is more like the attacks that I have been worrying about. But I
don't see what you gain by be "sending it to yourself". Is that supposed
to cause it to pick up some signature on the way? If so, then it certainly
won't pick up an ebay signature (though it might be a useful technique if
it was Yahoo rather than Ebay you sere trying to attack).

But yes, getting a valid signature on it (even the phisher's own
signature) is sufficient to prevent any ADSP lookup happening, and the
main aim is to avoid getting caught by ebay's 'discardable'.

Actually, I'm not sure this is different from just sending email with a
spoofed From: header, though the dual header attack might be more useful  
to
a phisher who has access to a system which, for example, won't sign  
spoofed
headers.

I would think any competent phisher can find a system to generate whatever
he want to generate. But a simple (unsigned) message with a spoofed From:
header will get trapped by an ADSP 'discardable' (modulo the problem that
ADSP doesn't actually specify which of several From: headers to look at,
though most ADSP implementations will likely just look at the first).



-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131                       
   Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>