John R. Levine wrote:
I dunno what that tells us, other than that whatever attack is enabled by
duplicated headers, it doesn't appear to have happened yet.
Maybe it has and it is the best kept secret loophole by spammers and
spoofers. Maybe there should be more research into the site mail
archives to see how much of this was among us fooling users for a long
time.
Maybe it slowed down as the larger ISPs or ESPs began to filter
invalid RFC 822, 2822/5322 messages like gmail.com does now. But then
again, gmail.com is relatively new entry.
I can tell you that in our 25+ year old mail package which was the top
5 BBS mail packages in the 80s and early 90s never looked for this as
far as I recall and only recently I added a server script to check for
it after discovering why Alt-N modified their API to check for the
multiple non-hashed From: headers.
Alt-N input on this was they did not see any evidence of wide usage
other than the fact it was a customer report and they updated their
DKIM API to add a "new requirement" for verification - all 5322.From
must be hashed.
That is why the President Obama message got into here. It had two
5322.From headers which was signed by my system when it sent the
message to Dave's system. Dave's system validated the double from
and resigned without hesitation.
However when I sent the double from without a valid signature, it
barfed the message.
What your research shows the problem is REAL. What we don't know is
how much it has effected the end-users as part the phishing and
spoofing schemes because I will venture that most systems do not check
for this.
Thanks to DKIM - now they will and for the legacy systems adding a
DKIM standalone component, the DKIM component MUST also check for this
loophole.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html