spf-discuss
[Top] [All Lists]

RFC 2822 groveling after flag day

2004-05-26 18:04:32
Reading the "new spf" slides of Meng Weng Wong, slide 0332 says in part:

  - If DAVE not provided,
    - before flag day, grovel through RFC 2822 headers.
    - after flag day, use FROM directly.

(Meng Wong confirmed that "FROM" means MAIL FROM here.)

So, let's say flag day has happened and everyone is miraculously using
the DAVE parameter.  Now, does this mean you no longer need to parse RFC
2822 headers?  I don't see how you can ever avoid it.  Here's one
example:

1. Phisher registers a new domain

2. (optional step) Phisher uses new domain for legitimate purposes for N
   days

3. Phisher sends phishing attempts on day N+1 with 100% valid SMTP
   header information, SPF correct, etc.

4. (optional step) Phisher even includes a Resent-From: header (or other
   header that supercedes From: as the PRA header) using their domain.

5. And the Phisher uses "From: <billing(_at_)citibank(_dot_)com>" and while the
   message was innocent looking at RFC 2821 time, it certainly isn't
   innocent as far as RFC 2822 headers go.

Why is this a problem:

 - People stopped groveling through RFC 2822 headers after the flag day
   so bad people can put whatever they want in the header.

   So, perhaps the flag day is just a mistake and it needs to be
   accepted that something somewhere will have to grovel through *every*
   last RFC 2822 header.

Now, even if everyone continues to grovel through RFC 2822 headers, it
seems like SPF has still failed to provide usable authentication to
users of email:

 - Many mailers only show the From: (RFC 2822) header
 - Most users only look at the From: (RFC 2822) header and are probably
   incapable of comparing multiple headers.

The new SPF seems to be designed for (a) Outlook where the user
interface behaves in a way expected by the specification (and Outlook is
a minority compared to Outlook Express and the rest of the MUA world) or
(b) technical users who don't fall prey to phishing and the like anyway.

Daniel

-- 
Daniel Quinlan
http://www.pathname.com/~quinlan/


<Prev in Thread] Current Thread [Next in Thread>