On Aug 4, 2005, at 12:08 AM, Tony Finch wrote:
On Wed, 27 Jul 2005, Andrew Newton wrote:
3) The first solution in 9.5 seems to be talking about a service
that does not
exist and lends itself to abuse, and the second seems to be fairly
heavy-weight and possibly not very effective (at least from their
limited
descriptions). Perhaps those paragraphs should be struck and the
section
should be left with only a description of the attack.
The second (detecting bulk same-signature mail) effectively already
exists
in the form of Vernon Scryver's distributed checksum clearinghouse.
While there can be clearing houses that distribute known "abused"
signatures, having an opaque revocation-identifier (used by larger
domains where this problem will be most prominent), could help in two
ways. (If user-keys are employed, the selector could become the
revocation-identifier). Rather than dealing with perhaps thousands
of "abused" signatures accumulated for replay attacks, a single value
could identify the abusive account. This helps when attempting to
distribute this information to all-points as a defensive mechanism.
This all-points distribution would be by a third-party, but could
become problematic distributing a large amount of information in a
timely manner. By adopting a convention to opaquely identify
accounts (as is common using various methods), also permits the
signing domain themselves an easier avenue to offer defenses against
abused signatures.
This self defense could be made by simply publishing an A record with
a value of 127.0.0.1 with a label of the offensive account's
revocation-identifier. One could also assume when the MTA host is
within the domain of the signer, there should be no need to check the
bad-account listing. The bad-account list would also serve as
feedback for abuse reports, when the abusive account has been
terminated. This approach would distribute the distribution of
known bad accounts, versus centralizing all known abused signatures.
While a third-party service will offer protection (of course), a self
managed bad-account list should provide greater recipient coverage
faster.
Broader and prompt recipient coverage using bad-account lists should
act more effectively as a deterrent against the abusive replay. Self
managed bad-account lists could be more prompt, and would be more
authoritative. High level of lookups checking specific accounts
could trigger subsequent filtering of the retained messages to see if
those sent by the account are now considered abusive. This should
enhance the value of the message signature, and better defend the
reputation of the signer. It would mean they keep their house in
order, and do not expect third-parties to clean up abusive replays.
Even if signers check their outbound mail, preventing an abuser from
eventually accumulating a stash of signed messages which can be
replayed by the millions is unlikely. Rate limiting outbound mail no
longer offers effective protection for the signers reputation (based
upon the name verified by the signature).
-Doug