ietf-mailsig
[Top] [All Lists]

Re: MASS plus Sender-ID

2004-11-21 21:19:31

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


wayne writes:
In <20041121210716(_dot_)BA960590103(_at_)radish(_dot_)jmason(_dot_)org> 
jm(_at_)jmason(_dot_)org (Justin Mason) writes:

Tony Finch writes:
Why do you think replay of entire messages is a problem?

Or are you concerned with attacks based on the canonicalization algorithm,
which might allow an attacker to add content to a previous message? [...]

Yes, very important to differentiate the two.   The latter is much
more usefully exploitable to spammers and more likely to occur.

Even a straight replay can be a problem.  A spammer can sign up for
any number of free email accounts, use those accounts to send email to
another account they have, and *poof* they have a signed message from
AOL/Hotmail/Yahoo/whatever.  Now they can spam the world with that
message and it will pass authentication and use the reputation of the
sender to get past filters.

hmm.   if the message was sent from webmail.com to goodrecip.com, then the
signed message was spammed via proxy.com to spamee.com, as far as I know
the message headers would look like this:

    Received: from ... by spamee.com;
    ...
    Received: from [forged] by proxy.com;
    ...
    Received: from webmail.com by goodrecip.com;
    ...
    Whatever-Signature: ....
    Received: from [injection address] by webmail.com;
    From: spamtest /at/ webmail.com
    Subject: [...]

    [...body]

So in other words, 'Whatever-Signature:' covers the stuff from there
down.   

But a quick look at the DK spec (s 3.7.2), at least, does seem to indicate
that DK doesn't have a way to detect this attack -- this is considered
valid, as long as the "From" and "Sender" headers match what they were for
the initial webmail-to-goodrecip step; and spammers would have no problem
ensuring that.

hmm, you might be on to something there, that does indeed seem to be a
replay attack that can be used to deliver spam.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFBoWiuMJF5cimLx9ARAmWVAJ9Rh0RYluozclTM2WjJPCZY70MomQCdGJvT
7a0mT9agWU9PK3p+Gs/bI0c=
=bN4r
-----END PGP SIGNATURE-----


<Prev in Thread] Current Thread [Next in Thread>