ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] Full name problem

2011-03-02 03:07:03
Comments inline.

-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org [mailto:ietf-dkim-
bounces(_at_)mipassoc(_dot_)org] On Behalf Of Michael Deutschmann
Sent: Wednesday, March 02, 2011 3:20 AM
To: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] Full name problem

On Tue, 1 Mar 2011, MH Michael Hammer wrote:
The display name is problematic as Mr. Crocker has pointed out. One
solution to this which I have suggested in the past is to not
display
the display name in the MUA if the email fails to authenticate.

That won't help.  The attack mail will authenticate successfully --
the
attack hurts because the identity the *computer* thinks it was
expected
to
verify is not the identity the *human* thinks has been verified.


It is admittedly an imperfect solution at best for the case you
describe, but it provides a linkage to the authenticated email address
if the attacker is DKIM signing. What it does accomplish is to drive
attackers to self authenticate. While some phishing emails will get
through initially, the signing entity should end up with a poor/negative
reputation. Attackers might use "throw away" signing entities but this
might provide actionable (reputation) indicators as well.

This is of course somewhat speculative as we have yet to see (publicly
disclosed if they exist) significant reputation systems built
specifically around DKIM signing.

Both the double-From: and the Full Name attack rely on that principle,
but the double-From: is less of a threat.  Since double-From: is based
on
a protocol violation with no history of accidental use, it can be
blocked
with no false positives.  (Also, there's a half a chance the MUA will
display the From: the attacker intended only for the validator, to the
human.


To fix this in the MUA, I'd have it strip the Full Name from *all*
messages, then re-insert the Full Name as listed in the user's address
book if there is any match against the real address.


This relies on the user having the entries in the address book. As many
marketers would tell you, easier said than done when it comes to
corporate/organizational mail. I can't speak to mail from individuals.



_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>