ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Comparison of Sender-ID versus SPF and MPR & BATV

2004-08-18 11:09:43
from [Douglas Otis] [Permanent Link] 

Feature comparison of Sender-ID versus SPF and MPR & BATV

........................................... Sender-ID  SPF  MPR & BATV
DNS Lookups for Policy........................ 10 ..... 20 ....... 1
DNS Lookups for Channel..................... >500 ... >500 ....... 1
Maximal Overhead Time w/o pkt loss (seconds)  200 .. >4000 ...... 15
Maximal UDP/TCP ratio w avg 4KB mail........ 5000% .. 5000% ..... 30%
UDP Exponential Back-off...................... No .... Yes ..... Yes
Reduces Spoof Bounces......................... No .... Yes ..... Yes w/o BATV
Stops Spoof Bounces........................... No ..... No ..... Yes w BATV
Assures RFC2821 MAIL FROM..................... No .... Yes ..... Yes
Assures RFC2822 From.......................... No ..... No ..... Yes
Identifies actual sender...................... No ..... No ..... Yes
Reduces Phishing.............................. No ..... No ..... Yes
Reduces Spoofing.............................. No ..... No ..... Yes
Enables Accreditation to abate abuse.......... No ..... No ..... Yes
Enables legal enforcement..................... No ..... No ..... Yes
Identity helps locate logs.................... No ..... No ..... Yes
May require digital signature................. No ..... No ..... Yes
May require BATV.............................. No ..... No ..... Yes
Allows use of recognized mailbox.............. No ..... No ..... Yes
Encumbered by IPR............................ Yes ..... No ...... No
Invites addition of Resent-From headers...... Yes ..... No ...... No
Assumes RFC2822 header integrity............. Yes ..... No ...... No
Requires text parser to execute macros....... Yes .... Yes ...... No
Allows Identity spoofing with open records... Yes .... Yes ...... No
Checks required at each MTA.................. Yes .... Yes ...... No
Breaks Forwarding with Channel Restrictions.. Yes .... Yes  Optional w/o BATV

With Sender-ID, a spammer may employ open records or utilize Resent-From
headers to continue spoofing or phishing with the From.  With Sender-ID,
a spammer may also employ return-path bounce techniques to evade
blacklisting.

Although Sender-ID and SPF allow use of open records to retain an
ability to use different access, such records will become problematic
when exploited by spammers.  MPR does not suffer this problem, as the
sender identity is based upon both From and authenticated EHLO domain.
With MPR, restrictions on From or MAIL FROM are optional and asserting
these fields to be unrestricted can not be exploited, as with Sender-ID
or SPF. 

The actual sender is the entity submitting the mail.  If there is a
problem, this is the identity that may be safely blocked.  As the mail
channel is not secure, negative assertions based upon RFC 2822 content
can not be defended.  Such assumption implies every point within the
mail channel performs Sender-ID checks.  As Sender-ID is highly prone to
DoS attack, it is likely such checks may be disabled.  The motivation
for a DoS of Sender-ID would be to enable spoofing over shared MTAs with
full validations.  With Sender-ID, there is nothing to alert a user the
the channel integrity is compromised.  Sender-ID assumes channel
integrity, but it is not verifiable.  With Sender-ID, the sender is held
responsible for a lack of mail channel integrity, although needed checks
must be done by the recipient.

-Doug
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Comparison of Sender-ID versus SPF and MPR & BATV, Douglas Otis <=
Previous by Date:  RE: Point of Order: Incomplete, flawed response to MARID WG Chart er, Daryl Odnert
Next by Date:  RE: New draft-ietf-marid-core-03 and draft-ietf-marid-pra-00, Nate Leon
Previous by Thread:  RE: Point of Order: Incomplete, flawed response to MARID WG Chart er, Daryl Odnert
Next by Thread:  I-D ACTION:draft-ietf-marid-pra-00.txt, Internet-Drafts
Indexes:  [Date] [Thread] [Top] [All Lists]