Re: [spf-discuss] SPF, DKIM, and NIH
2009-10-12 10:35:14
--On 12 October 2009 10:07:54 -0400 Scott Kitterman <scott(_at_)kitterman(_dot_)com>
wrote:
On Mon, 12 Oct 2009 07:00:46 -0700 (PDT) Michael Deutschmann
<michael(_at_)talamasca(_dot_)ocis(_dot_)net> wrote:
On Mon, 12 Oct 2009, Alessandro Vesely wrote:
> Relayers are free to change the MAIL FROM:, and far from blocking
> them
from
> changing it, if they do change it this frees them to drop the
> signature without consequence.
That's very easy to forge, though. As long as spammers sign correctly,
[...]
generic forwarding-resistant solution that DKIM claims to be.
Yes, Envelope-DKIM permits the bad guys to do:
MAIL FROM: <evil(_at_)evil(_dot_)example(_dot_)org>
RCPT TO: <victim(_at_)victim(_dot_)example(_dot_)net>
DATA
DKIM-Signature: ... d=evil.example.org ...
From: First Bank of Erewhon <victims-bank(_at_)bank(_dot_)example(_dot_)com>
Subject: Urgent! Need to re-confirm your account
....
But, *so* *does* *SPF*. And it's this very property that gives SPF its
immunity to mailing list FPs.
Then what's the advantge over SPF?
The advantage is that it permits trusted traditional forwarding. Which is
what's missing with SPF.
The thing is, that there are various routes by which mail may be delivered.
SPF protects some, but not others. DKIM protects others, but not some.
What we need is a collection of sender techniques, and a collection of
recipient checks, which collectively allow the recipient to apply
reputation scores for every incoming message - except the spam, of course.
SPF neatly protects all messages except traditional forwarding.
DKIM with ADSP neatly protects all messages except mailing list messages.
If SPF and DKIM/ADSP were universally deployed, recipients would have
something they could assign reputation to for every message:
If you see an SPF pass, then assign reputation by SPF. Lists that don't
check inbound mail won't get great reputation. If there's also a DKIM
signature, you can also check that content hasn't been munged, but watch
out for list-id headers.
If SPF fails, then look for a DKIM signature. If you get a good one, you're
likely seeing traditional forwarding. Do your reputation assignment with
DKIM, don't worry too much about the SPF.
If you have an SPF soft fail, or no policy, and no DKIM signature, and no
policy, then you're stuck with IP reputation and content assessment.
Scott K
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [spf-discuss] SPF, DKIM, and NIH, (continued)
- Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann
- Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
- Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann
- Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
- Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann
- Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
- Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann
- Re: [spf-discuss] SPF, DKIM, and NIH, Hector Santos
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
- Re: [spf-discuss] SPF, DKIM, and NIH,
Ian Eiloart <=
- Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
- Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
- Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
- Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
- Re: [spf-discuss] SPF, DKIM, and NIH, alan
- Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
- Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
|
Previous by Date: |
Re: [spf-discuss] SPF, DKIM, and NIH, Michael Deutschmann |
Next by Date: |
Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg |
Previous by Thread: |
Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman |
Next by Thread: |
Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg |
Indexes: |
[Date]
[Thread]
[Top]
[All Lists] |
|
|