On Wed, 2005-03-09 at 08:28 -0800, Michael Thomas wrote:
Why wouldn't the outbound mailer be running spam filters,
for example?
In lieu of blocking entire domains, a global deployment of a
domain/signature list compared against each message would take longer to
become effective and would make the signature process seem a minor
portion of the CPU load. One of the goals should be to centralize this
effort to reduce expenditures combating abuse. A revocation mechanism
provides this centralization. By combining HELO reputation as a DoS
protection, reputation of the signature as well as revocation checks can
be skipped when HELO is within the signature domain. All of this could
be done with a single DNS query!
And why couldn't an enterprise install software in both the laptops
and edge routers, etc, to be looking for Zombie-like behavior? I know
that we have stuff that does both of those things.
Much of this is built upon an OS that does not identify system from
application signals, and where many of the application interactions
depend on insecure scripts and registrations. While there is a great
deal of effort made in security, many workers use laptops in
environments where the often required external protections do not exist.
Most people would be lucky to be able to format their drive, reinstall
their software, and then download needed patches before it becomes
compromised again. Not every enterprise is as expert at avoiding this
problem as you may imagine.
Given these, I remain unconvinced that we need to roll out a huge new
infrastructure on a sort of day-one basis with mail signing.
I have always said this feature should be optional. For those domains
that don't see a problem, then not using this feature would be a rather
easy option. This would also help those small domains that have little
access to their DNS.
If it's ultimately needed, fine, but I don't see anything we're doing
_now_ that would prevent us from retrofitting this approach in _when_
it becomes a real live attack vector. We have to balance our efforts
against spammers make-work attacks too.
By thinking ahead on "replay", these retro-fits can be made easier. It
would be advisable for some domains to have this in place before hand.
Preparation seems to entail capturing the authentication account
information. This could be from a Radius server, a persistent
identifier derived from a network address assignment, or perhaps just a
sequential number where each server uses independent ranges that are
initialized when the key changes.
There is not a huge infrastructure requirement, as this would be
combining existing information. Just as most servers would have the
capacity to handle signatures, the revocation mechanism would be no
different. To ensure low impact, this should be combined with HELO
authentication and conventions that dramatically reduce this overhead to
ensure more infrastructure is not required.
-Doug