Re: forged email DSN

On Sat, 26 Feb 2005, Brian W. Antoine wrote:

DSN != reply

Replies have a return path.

DSNs have an empty return path - making them trivially distinguishable.

Apparently those clueless virus/spam filter writers are not alone.


  It doesn't matter who the sender is.  If the postmaster at some site
opens his mailbox one morning and discovers a flood of warnings from
your software, guess what his response is likely to be.


If he is that clueless, then his mailbox is *already* full of 
spam claiming to be from me.  My domain is popular with spammers for
some reason.  I've gotten death threats from such clueless postmasters.  If
this clueless postmaster does not do basic forgery checks, then the 1 DSN from
my software won't even be noticed.

I'll repeat this in more detail, since you don't seem to be aware of
the basic features and purpose of DSNs.  

A DSN has a null return path.  This means that DSNs are trivially
recognized, and should be checked to ensure that they correspond to
an actual outgoing email.  Smart mail admins do such checks.

The method I use is to SRS sign all outgoing email.  If an incoming
DSN doesn't have a valid sig at SMTP MAIL FROM, sendmail rejects the connection
immediately.

The SES method also signs outgoing email return paths, and adds replay
protection so that it can be used for email authentication as
well (and is a powerful complement to SPF since it survives 
even the most incompetent forwarders - with the exception 
of those using DBBF).

There are many less widely used packages for return-path signing as well.

Large sites sometimes keep an indexed log of outgoing return paths
to be matched against incoming DSNs.

The upshot is that there is no excuse for any competent admin to
be bothered by DSNs from forged email.  They are easily, safely,
and automatically ignored using a variety of widely available methods.

Replies, on the other hand, are a different matter.  Since they are not
matched to an outgoing email, they cannot be filtered without the
risk of false positives.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.

<Prev in Thread]	Current Thread	[Next in Thread>
forged email DSN, Stuart D. Gathman Re: forged email DSN, Brian W. Antoine Re: forged email DSN, Stuart D. Gathman Re: forged email DSN, Brian W. Antoine Re: forged email DSN, Chris Haynes Re: forged email DSN, jpinkerton Re: forged email DSN, Stuart D. Gathman Re: forged email DSN, Brian W. Antoine Re: forged email DSN, Stuart D. Gathman Re: forged email DSN, Brian W. Antoine Re: forged email DSN, Stuart D. Gathman <= Re: forged email DSN, Brian W. Antoine Re: forged email DSN, Stuart D. Gathman Re: forged email DSN, Brian W. Antoine Re: forged email DSN, Stuart D. Gathman Re: forged email DSN, Brian W. Antoine Re: forged email DSN, Stuart D. Gathman Re: forged email DSN, Brian W. Antoine Re: forged email DSN, Stuart D. Gathman Re: forged email DSN, Brian W. Antoine Re: forged email DSN, Stuart D. Gathman