On Aug 18, 2004, at 6:30 PM, Harry Katz wrote:
On Wednesday, August 18, 2004 2:34 PM, Nate Leon wrote:
I realize concern around this topic has been raised multiple
times (Dave Crocker, Doug Otis, Chris Haynes, etc...) but I
still can't help feel we are under-estimating the seriousness
of this issue. If I missed the posting where everybody
agreed on the solution (entirely possible) please point me to it. :)
I expect it will take years before all MUAs are updated (and widely
deployed) to display the PRA, which I do not think is an
acceptable timeframe to put a serious dent into phishing attacks.
For completeness, here is another example of the concern:
MAIL FROM:<> // don't care
RCPT TO:<valid-recipient(_at_)example(_dot_)com>
DATA
Subject: update your account info
Resent-From: JoePhisher(_at_)phishingScam(_dot_)com // valid domain
authenticated by MARID
...
From: account-services(_at_)yourbank(_dot_)com // Spoofed domain,
displayed by the MUA
To: valid-recipient(_at_)example(_dot_)com // bummer for you
...
Are we really going to RFC with this issue left open?
If nothing else, I at least want to add my vote to more
thought being put into this topic.
To address the forged Sender/Resent problem I suggest we could add the
following logic:
If PRA != 2822.From and SPFCheck(PRA) != "Pass" then receiver MAY
reject
a message after DATA.
<...much good stuff snipped ...>
Thus, if a spammer wants to forge a Sender or Resent- header, they have
to use their own domain name. That'll get block-listed fairly quickly.
I
belive that plugs the hole that we're addressing.
This works. It for all practical purposes closes the hole whereby
incomplete or absent records for Sender and particularly Resent can be
used to dive under identity based controls in the temporary (but
undoubtedly not brief) period before Sender ID records are for all
practical purposes mandatory.
My gut says that the people burdened - those running mail related
services - are those most likely to be able to publish definitive and
complete Sender ID records quickly.
Margaret.