On Wed, 20 Oct 2010 15:27:16 +0100, Alessandro Vesely
<vesely(_at_)tana(_dot_)it>
wrote:
On 20/Oct/10 13:23, Charles Lindsey wrote:
The scam I have described involves the use, by the phisher, of a
DKIM-signed (by himself) email with two From: headers, which is intended
to fool verifiers into not spotting that the first signature should have
triggered an ADSP lookup which would have revealed that the first From:
was 'discardable'.
Naturally, the phisher signs with a throaway domain that has not yet
acquired any reputation, good or bad.
Since the scam involves the use of DKIM, and since the only fix I am
aware
of requires a change to the DKIM standard, then it is highly relevant to
the current discussion.
IMHO, this issue has to be addressed refining the signing spec. For
example, the initial paragraph of section 5.4 could be modified so as
to read:
But that does not address this particular scam (though it does address
some other scams involving duplicated headers).
Notice that in my scam it is the Bad Guy that generates the signature, and
you cannot assume that a Bad Guy will obey ANY requirement imposes by
4871-bis if he believes that generating a message thsat violates that
requirement will enable him to fool somebody of some sysyem somewhere.
........
Verifiers would then discard any From field after the first one,
whether signed or not. Of course, a combo-verifier is always free to
return some error due to bad message syntax, even if all signatures
verify (although I'd consider it cleaner to return non-DKIM errors for
non-DKIM failures.)
Yes, verifiers are the only place where this scam can be caught, and they
must be mandated to catch it. The precise means of catching it can be
discussed, and whether they catch it on the grounds that 5322 has been
violated or on the grounds that some other provision of 4871-bis has been
violated is just a matter of semantics. If it makes people happier to word
it so that it is not perceived as a "layering violation" then I suppose
making it appear as a 4871-bis violation would be better; but I do not
really like technical solutions being dictated by purely political
arguments.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131
Web: http://www.cs.man.ac.uk/~chl
Email: chl(_at_)clerew(_dot_)man(_dot_)ac(_dot_)uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html