ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Forged Sender (Resent-From) attacks

2004-08-18 23:39:42
from [Douglas Otis] [Permanent Link] 

"Margaret Olson" <margaret(_at_)margaretolson(_dot_)com> wrote:

On Aug 18, 2004, at 6:30 PM, Harry Katz wrote:


To address the forged Sender/Resent problem I suggest we could add the
following logic:

If PRA != 2822.From and SPFCheck(PRA) != "Pass" then receiver MAY
reject a message after DATA.



<...much good stuff snipped ...>



Thus, if a spammer wants to forge a Sender or Resent- header, they have
to use their own domain name. That'll get block-listed fairly quickly.
I belive that plugs the hole that we're addressing.


This works. It for all practical purposes closes the hole whereby
incomplete or absent records for Sender and particularly Resent can be
used to dive under identity based controls in the temporary (but
undoubtedly not brief) period before Sender ID records are for all
practical purposes mandatory.

My gut says that the people burdened - those running mail related
services - are those most likely to be able to publish definitive and
complete Sender ID records quickly.


This implies once a record gets published, these domains may also become
blacklisted.  If there are MTAs shared by more than a single domain, then
this MTA MUST compare these records against the PRA as a means to protect
these domains.  This also implies every MTA application must have a signed
contract with Microsoft?  It also suggests that when these records are
"open" they may become blacklisted, as spammers are not required to use
"their" records to spoof the system.

By making statements that without a Sender-ID record, mail will be
rejected should also include the statement that without a "closed"
Sender-ID record, mail will be backlisted.  Or to conclude, all ISPs will
soon include a Resent-From header with their "closed" list.  How would
this Resent-From header be better or different than CSV?  500 DNS lookups
or 1 DNS lookup? Many possible PRA headers, or one EHLO domain?  IPR or no
IPR?

My gut says Sender-ID is the wrong approach. Call From:EHLO Mailer-ID.  By
moving to such a name based accreditation, a history can be established. 
If they are new, a go slow approach can minimize the potential damage. 
Sender-ID makes it easy for every message to assume a different identity
and allows records to span large address spaces.  CSV constrains such a
dodge far better.  MPR can put clamps on phishing and spoofing far better
than Sender-ID with a single DNS lookup for the channel.

-Doug
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Solution For Trojans, Douglas Otis
Next by Date:  Re: Sender-ID and last hop validation, william(at)elan.net
Previous by Thread:  Re: Forged Sender (Resent-From) attacks, Margaret Olson
Next by Thread:  Re: Forged Sender (Resent-From) attacks, Chris Haynes
Indexes:  [Date] [Thread] [Top] [All Lists]