[ietf-dkim] ebay / eboy

Dave Crocker dhc at dcrocker.net
Mon Oct 31 14:24:56 PST 2005 


dberg, Jeremy wrote:
> Another major attack vector we have seen is the one in 5.2, the use of
> similar looking domains.  We call this the "eboy" problem.  We would
> like to stress how much of a problem this is in the hopes that it can be
> further highlighted and discussed.  I know that in previous discussions
> it was decided this problem would be difficult to solve, but it would be
> good to highlight it, as perhaps with the right people looking at it, a
> possible solution or mitigation could be found.

As important as this problem is, it probably will not help the immediate
DKIM effort much, to discuss it now.

DKIM authenticates a particular domain identity, and associated content,
without offering an opinion about the wonderfulness of that identity.  And
even then it only pertains to one occurrence of the identity (or, maybe, to
associated identities in the headers.)

Use of DKIM, with an assessment service (black or white list or the like)
will help with a class of eboy problems, but it won't deal with any of the
"embedded" games played in the content.

Or have I missed something here?


> Another related attack that I did not see mentioned in the threat
> analysis is what we call the "pretty from" attack.  Most popular email
> clients display the arbitrary text in the From header as the display
> name, if there is one.  For example, if the from header were 'From
> "aw-confirm at ebay.com" <badguy at badguy.com>', the client would show
> "aw-confirm at ebay.com" as the from address.  If the signature could be
> validated against badguy.com, then the message would appear legit.  This

DKIM does not specify end-user display behaviors.


> I didn't see anything in the
> spec about verifying that the arbitrary text matches the purported From
> address.  Is this correct?  Perhaps this could be addressed as a
> possible threat in the analysis? 

SSP deals with matching the From to the DKIM identity.  Did you have any
other matching in mind?


d/

--

Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>

More information about the ietf-dkim mailing list