Re: MASS Security Review document


John R Levine wrote in response to me:

There's a related attack that actually worries me more.  Suppose someone
sends some spam to (for example) an ietf.org mailing list, where it gets
[re-]signed.  If this message is replayed widely, it looks like ietf.org
is generating lots of spam, and it didn't even come from a user with an
ietf.org address.


Uh, that's how it's supposed to work.  If ietf.org manages their mail
system so poorly that they remail and sign a lot of spam, they deserve
whatever poor reputation that earns them.  If recipients, for their own
reasons, want to accept mail from that domain anyway, I don't know anyone
who thinks that whitelists are going away.

My point is, when coupled with a message replay, it doesn't need toremail and sign a lot of spam. The mailing list can be a mechanism fora spam message to gain a signature which is then replayed to a *lot* ofaddresses (not just list subscribers). I'm concerned that there mightbe enough potential damage to a domain's reputation to make people thinktwice about hosting a mailing list. I'm not sure what the answer ishere; perhaps mailing lists need to (somehow) take weaker responsibilityfor messages that pass through them.

But one thing I think hasn't been addressed adequately in any of the
proposals is whether or how a re-signer of a message indicates whether
the message they got had a valid signature (and from whom).


Why would that be useful?  Consider these three scenarios:

List A is manually moderated by a live person who checks all the messages
before they're sent out.

List B gives passwords to its users which they have to include in mail for
it to be resent.  (The list software strips the passwords, of course.)

List C resends all mail from anyone that has a valid IIM signature,
subscriber or not.

I would expect lists A and B, using techniques unrelated to signatures
that have been around for many years, to earn much better reputations than
list C.

C doesn't make any sense; why wouldn't lists continue to allow onlysubscribers to post (if that's their current policy)?

As I think about it more, I'm not sure whether having an assertion thatthe input to a mailing list was signed is useful or not. A, B, and Cabove have nothing to do with that; it's more of a question whether youcould do anything useful with that assertion by the mailing list.


-Jim

<Prev in Thread]	Current Thread	[Next in Thread>
Re: MASS Security Review document, (continued) Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, domainkeys-feedbackbase01 Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, Andrew Newton Re: MASS Security Review document, Michael Thomas Re: MASS Security Review document, Andrew Newton Re: MASS Security Review document, Michael Thomas Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, Jim Fenton Re: MASS Security Review document, John R Levine Re: MASS Security Review document, Jim Fenton <= Re: MASS Security Review document, John R Levine Re: MASS Security Review document, Jim Fenton Re: MASS Security Review document, John R Levine Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, Jim Fenton Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, John Levine Re: MASS Security Review document, Douglas Otis Re: MASS Security Review document, John R Levine Re: MASS Security Review document, Douglas Otis

Previous by Date:	Re: MASS Security Review document, Douglas Otis
Next by Date:	Re: MASS Security Review document, Jim Fenton
Previous by Thread:	Re: MASS Security Review document, John R Levine
Next by Thread:	Re: MASS Security Review document, John R Levine
Indexes:	[Date] [Thread] [Top] [All Lists]