spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: where is SES/BATV/ABBS?

2005-07-05 15:36:44
from [Stuart D. Gathman] [Permanent Link] 
On Tue, 5 Jul 2005, Greg Connor wrote:


If someone were to come up with a DNS server that knows how to distinguish 
your SRS0+hash, via some exists: query, do you think you would be willing 
to publish an SPF record to test it with?  Basically the exists: query 
would pass back the full local part and your DNS server would provide a 
yes-or-no answer, which is similar to what CBV does, only CBV wouldn't be 
required at the recipient.  (You would probably want to publish using ?all 
until you are confident that the trick DNS server is working.)

If that could be made to work, that might be a much better solution to the 
forwarding problem than the one I described earlier.  And it could be done 
proactively by the sender without depending on forwarders to do anything.


The weakness with that solution is that it is subject to replay 
attacks.  One solution is to limit the number of validations for a
given sig in the server (requires only an in memory database of 
successful validations and count).  That is what the original SES did.
Setting the limit reasonably can be tricky, however.  So the SES project went
in the direction of computing a hash over the message body.  They
resuse specifications for the body hash from the Domain Keys project.

I don't like the body hash, but you *must* have some sort of replay
protection to use BATV/SES/SES for authentication.  Otherwise, once
a spammer gets a hold of one of your sigs through a zombie one
of your recipients uses for an email client, they can forge your MAIL FROM
to any number of recipients to their hearts content until the timestamp expires.

My solution is not to use SES (or BATV) for authentication.  I stick with
SPF for that, and use SRS/SES to block bogus bounces - where replay
attacks are not serious (the spammer only gets to spam one recipient 
per stolen return path).

SES/BATV *could* be used with SPF for negative authentication.  For example:

v=spf1 mx -exists:_ses.mydomain.com ?include:roamingisp.com -all

This says if the SES signature *doesn't* verify, then the email
is definitely bogus.  Otherwise, it could be from the roaming salesman
that won't use SMTP AUTH.

-- 
              Stuart D. Gathman <stuart(_at_)bmsi(_dot_)com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Conflict with challenge/response filters, Julian Mehnle
Next by Date:  Re: Conflict with challenge/response filters, Stuart D. Gathman
Previous by Thread:  Re: where is SES/BATV/ABBS?, Greg Connor
Next by Thread:  Re: where is SES/BATV/ABBS?, Mark Shewmaker
Indexes:  [Date] [Thread] [Top] [All Lists]