On Wed, 6 Oct 2004, Rand Wacker wrote:
So SPF and SID are useful to allow whitelisting of the 80% or so of
messages that *pass* checks (and are on the associated whitelist), but
will probably not be useful for anti-forgery checks.
Well, I have some comments about this which luckily gets us back on subject
of email signatures. First lets notice that mail signatures by themselve are
like SPF without rejecting -all. What I mean is that while you can whitelist
the message that has signature, the bad guys can still continue to send
emails with your forged address without any signatures and people will
continue to accept this. To get around this we obviously need to have email
policy record that say that such and such domain has mail server that signs
all outgoing email (in fact most proposals at MASS have that as part their
design with using either special dns records or using SPF modifiers).
Now the problem is exactly this email policy record. It so happens that if
email signature standard can not deal with how email is changed in transit
(like mail list problem of domainkeys), the result is that receiver can
only whitelist email with good signatures and if its bad, he does not know
if it was due to changes made in transit or if it was originally bad. So
while organization can publish "-all" for mail signatures the receiver can
not reliably use that because at least some of the email from the domain
is going to fail signature verification unless signature can survive all
changes in transit and still be verifiable.
I did actually find some ways to get around the problem of failed signatures
due to email mangling, but this works only when false positive rate is
low (not the kind of rate that would happen if message can not survive
common mail list processing). My ideas involve mechanism for double-checking
in some way if message was or was not changed in transit based on certain
parameters included in the message signature and if it is found that
message was changed, then it is allowed through as if it was unsigned
message even if "-all" is published, but for all other real unsigned
email and those where public key verification fails, the message is denied.
---
William Leibzon, Elan Networks:
mailto: william(_at_)elan(_dot_)net
Anti-Spam and Email Security Research Worksite:
http://www.elan.net/~william/emailsecurity/