[ietf-dkim] New Issue: 4.2 needs new
Attack Item: InconsistentSignature vs Policy Attacks
Steve Atkins
steve at blighty.com
Tue Jan 31 10:18:59 PST 2006
On Jan 31, 2006, at 9:59 AM, <Bill.Oxley at cox.com> wrote:
> Sorry,
> Should have been clearer.
>
> Bad guy sends a message purportedly from cox.com with a header
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=cox.com
>
> The non dkim compliant mta who hasn't deployed dkim yet or knowing
> much
> about it places a rule stating that signed messages should be
> allowed to
> travel inbound without further checking because dkim is new and safe.
>
> A dkim compliant mta will do a dip on my dns records and find no
> ssp or
> dk record and drop the message as non compliant.
>
> I suspect that in the beginning there will be a lot more of the former
> than the latter.
I suspect this is a non-issue.
The reason is that the early adopters of DKIM are going to be bulk
mailers. As such, any MTA or spam filtering system that's not got to
the point of actually checking DKIM signatures is going to be configured
to behave according to the correlation between DKIM headers and
unwanted mail, if they pay any attention at all.
The odds of more than a vanishingly small fraction of non-DKIM-aware
MTAs _increasing_ deliverability for DKIM headers is really low.
Decreasing, sure, but not increasing.
It's also "not our problem".
Cheers,
Steve
More information about the ietf-dkim
mailing list