ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Sender's Declaration of Identity

2005-05-17 18:24:13
from [Valdis . Kletnieks] [Permanent Link] 
On Tue, 17 May 2005 19:42:09 CDT, wayne said:

Now if your proposed tag said:

       ID SPF=YES,YAHOO=NO,CVS=YES

*THAT* I can do something with (namely, short-circuit that auth method with
whatever I do for a 'info-not-found' for that method).


Why would you trust this?  I mean, if a phisher wants to impersonate
big-bank.com, all they would have to do is say "ID SPF=NO,YAHOO=NO,CVS=NO".


Hmm. Good point.  An attacker could conceivably intentionally *omit* listing
an auth method that would prove him a bogon.  There's a big difference between
'SPF authoritatively failed' and 'no SPF info available'.

Damn.  :)

Maybe allow/suggest that the server randomly attempt a given auth method some
small (2%? 5%?) amount of the time, and apply punitive scores for sources that
do that?  Probably need a DCC/Razor sort of distributed system to keep track
of people trying to do this while spreading it across enough 
sources/destinations
so they aren't likely to be punitively scored by any single site?

Attachment: pgp87jos8lxzD.pgp
Description: PGP signature

[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Sender's Declaration of Identity, wayne
Next by Date:  Re: Options for the ID Command, David MacQuigg
Previous by Thread:  Re: Sender's Declaration of Identity, wayne
Next by Thread:  Re: Sender's Declaration of Identity, Dave Crocker
Indexes:  [Date] [Thread] [Top] [All Lists]