spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-13 08:02:52
from [Ian Eiloart] [Permanent Link]
--On 13 October 2009 13:39:44 +0200 Alessandro Vesely <vesely(_at_)tana(_dot_)it> wrote: 


David MacQuigg wrote:

Ian Eiloart wrote:

If SPF fails, then look for a DKIM signature. If you get a good one,
you're likely seeing traditional forwarding.


Or forwarding by a crook.  What prevents a spammer from sending a
billion ads for Viagra, all with a valid DKIM signature from a reputable
domain?  All it takes is one signed message.  The rest can be copies,
"forwarded" via a botnet.
Nothing prevents that, but the only purpose it would serve would be to harm the reputation of the original signer, or to increase the income of the original signer. The spammer could derive no benefit, since the advert would not route the buyer through the spammer's reward system.
Now, let's get more specific. Suppose the original message were sent from a gmail account set up for the purpose. You're proposing this mechanism to route around rate-limiting, or other bulk mail detectors on the gmail server. That's fine, it'll do that. And who's reputation suffers? Not gmail's, but the sender address. With a sufficiently responsive reputation infrastructure, the sender address will quickly acquire poor reputation.
Nobody would be daft enough to assign anything but neutral reputation to the gmail.com domain, would they? 


The fundamental advantage of signature-based authentication (arbitrary
forwarding) is a fundamental disadvantage when the forwarder is a
crook.  Signatures protect only that which is signed, i.e. the body and
a few specifically selected headers.  There is *no other assurance* in a
signature.  Show that Viagra ad to the original signer, and he will say
"Yup, that's our signature.  We sign 500,000 messages per day.  We have
per-account rate limits.  We even run spam filters on new accounts.
What else do you expect us to do? "


Nice one, David! I've tried to convert it into a shorter version in
http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail#Arbitrary_forward
ing



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com




--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/


-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
Next by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
Previous by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
Next by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Stuart D. Gathman
Indexes:  [Date] [Thread] [Top] [All Lists]