ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

TECH OMISSION: Stronger checks against email forgery

2004-08-24 22:51:25
from [John Glube] [Permanent Link] 


It is very easy to forge domain information in email.

Two simple cases:

* Forging the SMTP mail from address; and

* Inserting a false received line or resent-from header. 

In essence this involves using someone else's domain without
consent.

Also, many who forge domain information also apparently send
direct from an IP address to the recipient's mail server.

Shouldn't we have stronger checks to prevent these types of
activities?

One approach is to run a mail from check at the data stage using
the SPF record format and test protocol.

Another is to run an ehelo or helo check using client smtp
validation.

Keep in mind those engaged in email forgery (which for
sophisticated operators is a form of criminal fraud) will likely
adopt approaches to muddy and defeat authentication, so that
those engaged in fighting email forgery will need to use a range
of tools, recognizing that although one data set might be
corrupted, matching of data against a number of identifiers will
likely generate better results.

(I am basing these general comments on existing research and
studies carried out by others in the criminal forensics field.)

Amending the Sender-ID drafts to reflect using a number of
data sets is one option. 

My personal recommendation is that a best current practices
document be published concurrently with any authentication
technologies recommended by this WG which would in essence
recommend receivers run PRA checks using Sender-ID:
Authenticating Email, mail from checks using the SPF record
format and test protocol and ehelo/helo checks using client
smtp validation.

It may also be appropriate to establish a steering group to
review and propose document updates on a regular basis, although
there may be other ad hoc groups which could include this process
within their mandate.

John Glube
Toronto, Canada

The FTC Calls For Sender Authentication
http://www.learnsteps4profit.com/dne.html

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.737 / Virus Database: 491 - Release Date: 11/08/2004
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  DEPLOY - IP, HELO & touch count. DOC-BUG too., Matthew Elvey
Next by Date:  RE: DEPLOY: Microsoft's Statement about IPR Claimed in <draft-ietf-marid-core-03.txt> and <draft-ietf-marid-pra-00.txt> in Combination, Roy Arends
Previous by Thread:  RE: DEPLOY: Legal liability for creating bounces from forged messages, Jim Lyon
Next by Thread:  RE: TECH OMISSION: Stronger checks against email forgery, John Glube
Indexes:  [Date] [Thread] [Top] [All Lists]