ietf-mailsig
[Top] [All Lists]

Re: Spoofing revisited

2005-07-27 19:01:47

On July 27, 2005 at 17:59, "Arvel Hathcock" wrote:

In the case of the example you gave joe(_dot_)user(_at_)x does not match
d=ispoofyou.com from the signature.  Therefore an SSP is required using the
domain 'x' taken from joe(_dot_)user(_at_)x (the "Originator Address").  In 
fact, this
policy lookup is required any time the signing entity does not match the
domain of the From.  The policy at domain 'x' will specify that it does not
allow "third-party signatures" and that's the end of the problem right?

Unfortunately, the mail archives address harvesting protection
messed up the example.  Here it is again (which the archives will
mangle):

  DKIM-Signature: a=rsa-sha1; s=whatever; d=ispoofyou.org;
        c=simple; q=dns;
        h=Received : From : To : Subject : Date : Message-ID;
        b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ
          VoG4ZHRNiYzR;
  Received: from 10.2.3.4-example.com  [10.2.3.4]
        by submitserver.example.com with SUBMISSION;
        Fri, 11 Jul 2003 21:01:54 -0700 (PDT)
  From: Joe User <joe(_dot_)user(_at_)example(_dot_)com>
  To: Suzie Q <suzie(_at_)shopping(_dot_)example(_dot_)net>
  Subject: I need your help?
  Date: Fri, 11 Jul 2003 21:00:37 -0700 (PDT)
  Message-ID: <20030712040037(_dot_)46341(_dot_)5F8J(_at_)example(_dot_)com>

  ...

In the example, the i= is a sub-domain of d=, but the From is
of a different domain (and what is displayed by MUAs).

--ewh

<Prev in Thread] Current Thread [Next in Thread>