spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-12 10:35:14
from [Ian Eiloart] [Permanent Link]
--On 12 October 2009 10:07:54 -0400 Scott Kitterman <scott(_at_)kitterman(_dot_)com> wrote: 


On Mon, 12 Oct 2009 07:00:46 -0700 (PDT) Michael Deutschmann
<michael(_at_)talamasca(_dot_)ocis(_dot_)net> wrote:

On Mon, 12 Oct 2009, Alessandro Vesely wrote:

> Relayers are free to change the MAIL FROM:, and far from blocking
> them

from

> changing it, if they do change it this frees them to drop the
> signature without consequence.

That's very easy to forge, though. As long as spammers sign correctly,
[...]
generic forwarding-resistant solution that DKIM claims to be.


Yes, Envelope-DKIM permits the bad guys to do:

MAIL FROM: <evil(_at_)evil(_dot_)example(_dot_)org>
RCPT TO: <victim(_at_)victim(_dot_)example(_dot_)net>
DATA
DKIM-Signature: ... d=evil.example.org ...
From: First Bank of Erewhon <victims-bank(_at_)bank(_dot_)example(_dot_)com>
Subject: Urgent! Need to re-confirm your account
....

But, *so* *does* *SPF*.  And it's this very property that gives SPF its
immunity to mailing list FPs.


Then what's the advantge over SPF?
The advantage is that it permits trusted traditional forwarding. Which is what's missing with SPF.
The thing is, that there are various routes by which mail may be delivered. SPF protects some, but not others. DKIM protects others, but not some.
What we need is a collection of sender techniques, and a collection of recipient checks, which collectively allow the recipient to apply reputation scores for every incoming message - except the spam, of course. 

SPF neatly protects all messages except traditional forwarding.
DKIM with ADSP neatly protects all messages except mailing list messages.
If SPF and DKIM/ADSP were universally deployed, recipients would have something they could assign reputation to for every message:
If you see an SPF pass, then assign reputation by SPF. Lists that don't check inbound mail won't get great reputation. If there's also a DKIM signature, you can also check that content hasn't been munged, but watch out for list-id headers.
If SPF fails, then look for a DKIM signature. If you get a good one, you're likely seeing traditional forwarding. Do your reputation assignment with DKIM, don't worry too much about the SPF.
If you have an SPF soft fail, or no policy, and no DKIM signature, and no policy, then you're stuck with IP reputation and content assessment. 



Scott K


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com




--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann
Next by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
Previous by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
Next by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
Indexes:  [Date] [Thread] [Top] [All Lists]