[ietf-dkim] Re: New Issue: 4.2 needs new Attack Item:
InconsistentSignature vs Policy Attacks
hsantos at santronics.com
Thu Feb 2 06:59:23 PST 2006
----- Original Message -----
From: "Frank Ellermann" <nobody at xyzzy.claranet.de>
To: <ietf-dkim at mipassoc.org>
> Hector Santos wrote:
> > 80-84% of all SPF policies seen by SMTP receivers are NEUTRAL
> > (relaxed) policies. Among these, atleast 60%, are Bad Actors
> > exploiting a RELAXED domain policy.
> It's not possible to "exploit" NEUTRAL, as it's by definion the
> same as NONE. What's so unusual with 60% spam ? Apparently a
> bit lower than the average. As with DKIM the only real exploit
> is a PASS from a white-listed source.
Good points. It would had been better to just say relaxed policies, in
the case of SPF; Neutral, SoftFail.
The issue of PASS is true. Why should we trust it?
But we don't have must more we can do here but to apply or augment
optional and non-standard tracking concepts.
However, what you want to make sure you don't allow fall thru the cracks
are the mix policy and protocol inconsistencies, and that might include
mixing DKIM with other methods as well at the implementation level. But
at the very least, the protocol level.
The overall goal, atleast from my (SSI) perspective, is providing
consumer confidence in your product offerings. And that includes doing a
diligent job in making sure what you are offering has a high payoff, it
is transparent as much as possible and has no vulnerabilities ignored or
The first goal is to make sure that the "rules" are followed as it is
expected to be followed. Any fault detected, in whatever form that may
be, is how your protection is realized. When the rules are relaxed,
fault detection is minimized.
Hector Santos, Santronics Software, Inc.
More information about the ietf-dkim