ietf-mxcomp
[Top] [All Lists]

Re: Forged Sender (Resent-From) attacks

2004-08-18 19:11:44


On Aug 18, 2004, at 6:30 PM, Harry Katz wrote:


On Wednesday, August 18, 2004 2:34 PM, Nate Leon wrote:

I realize concern around this topic has been raised multiple
times (Dave Crocker, Doug Otis, Chris Haynes, etc...) but I
still can't help feel we are under-estimating the seriousness
of this issue.  If I missed the posting where everybody
agreed on the solution (entirely possible) please point me to it. :)

I expect it will take years before all MUAs are updated (and widely
deployed) to display the PRA, which I do not think is an
acceptable timeframe to put a serious dent into phishing attacks.

For completeness, here is another example of the concern:

   MAIL FROM:<>                                  // don't care
   RCPT TO:<valid-recipient(_at_)example(_dot_)com>
   DATA
      Subject: update your account info
      Resent-From: JoePhisher(_at_)phishingScam(_dot_)com   // valid domain
authenticated by MARID
      ...
      From: account-services(_at_)yourbank(_dot_)com        // Spoofed domain,
displayed by the MUA
      To: valid-recipient(_at_)example(_dot_)com            // bummer for you
      ...

Are we really going to RFC with this issue left open?

If nothing else, I at least want to add my vote to more
thought being put into this topic.


To address the forged Sender/Resent problem I suggest we could add the
following logic:

If PRA != 2822.From and SPFCheck(PRA) != "Pass" then receiver MAY reject
a message after DATA.

<...much good stuff snipped ...>

Thus, if a spammer wants to forge a Sender or Resent- header, they have
to use their own domain name. That'll get block-listed fairly quickly. I
belive that plugs the hole that we're addressing.

This works. It for all practical purposes closes the hole whereby incomplete or absent records for Sender and particularly Resent can be used to dive under identity based controls in the temporary (but undoubtedly not brief) period before Sender ID records are for all practical purposes mandatory.

My gut says that the people burdened - those running mail related services - are those most likely to be able to publish definitive and complete Sender ID records quickly.

Margaret.