ietf-mailsig
[Top] [All Lists]

Re: more hand waving about mailing lists

2004-12-07 21:56:52

John R Levine wrote:

As for the "time machine" aspect for all of this, I'm much more
concerned about the little mailing lists that haven't been upgraded in
ages than I am about well-established and well-maintained mailing list
operators.  One thing we're trying to do here is to disenfranchise as
few people as possible, even those that aren't professional mailing list
operators.

I subscribe to lots of little mailing lists running on dusty old servers.
The amount of forged mail they forward is, within a gnat's eyelash, none.
They all verify the senders somehow, and the From: addresses are all real.
Could you give a concrete example of a problem with some actual existing
mailing lists that aren't tractable now but that forwarded signatures
would solve?
The spoofed message claiming to come from Harry Katz sent to ietf-mxcomp on April 27:
http://www.imc.org/ietf-mxcomp/mail-archive/msg01146.html


This isn't in C, but here is what I would do.
[ four point canonicalizing scheme snipped ]

This scheme won't work on the yahoo groups example I posted yesterday.
nor would it work on mail passing through my stock majordomo2 server.
OK.  It does work for plain text mail passing through yahoogroups.

One attack on this whole thing is for the attacker to pretend to be a
mailing list, and just sign a bunch of spam/phishing messages on behalf
of a throwaway address.  The message looks legitimate and signed, but
it's not signed by anyone trustworthy.  This puts a very strong
dependency on reputation and accreditation services. ...

How is this any different from a bunch of signed spam coming from any
other address?  I don't know of any mail filters that say "oh, this looks
like a mailing list so we'll give it a pass."  Any signature scheme
depends on whitelists and blacklists to decide whose mail to accept.
The difference is that (and perhaps this is a different topic entirely) the signature on a mailing list or something trying to pose as one is likely to be invisible to the recipient. So unless you can reliably whitelist real mailing lists (and I contend you can't, without an external accreditation/reputation service, if you're verifying at the domain level), you're giving attackers a way to spoof.

Perhaps this is the "illusory" aspect described above, but IIM
signatures as they are currently defined are surviving a number of
mailing lists, including ASRG, dk-milter-discuss(_at_)sourceforge(_dot_)net,
ietf-mailsig, ietf-mxcomp, and Yahoo! Groups.

Hold on a minute.  IIM signatures most certainly do not pass through yahoo
groups with any reliability.  Didn't you see the example I posted
yesterday?
Yes; as I note in the next line, I tend to send plaintext mail to lists and that does work with yahoogroups.

messages, messages with S/MIME signatures and the like, but the vast
majority of messages on the mailing lists I subscribe to are plain text
as well.

I believe you, but I think the problem here is that the lists that you
(and probably I) subscribe to are extremely atypical of both current list
mail and mail in general.  For starters, the vast majority of mail that
typical mail users send and receive is now HTML mail.  IIM crashes and
burns as soon as someone starts manipulating the HTML in messages, which
list managers very commonly do.
IIM fails verification when HTML is manipulated; it does not "crash and burn". By shortening the byte count artificially, we could make yahoogroups succeed for HTML, although it would still fail for S/MIME because yahoogroups strips out the "This is a cryptographically signed message..." line at the beginning. But that's not the point; I'm not worried about yahoogroups or similarly sophisticated list managers because they will undoubtedly sign soon (although I wonder why yahoogroups isn't signing with DK already).

I'd be curious if anyone has stats on the proportion of HTML mail today. I checked my wife's choir and moms' group mailing lists, and it wasn't overwhelming. But it's just a matter of curiosity; I don't expect the answer to affect this discussion.

But this whole discussion has been about the body length count, right? How about the examples of header munging that occur at transit MTAs, such as the addition of [SPAM] to the subject line? I even have a mail forwarder address that does that for me. Should we be making allowances for that, such as by copying headers?

-Jim


<Prev in Thread] Current Thread [Next in Thread>