[ietf-dkim] DKIM signature can mean it's safe to generate bounce?
Douglas Otis
dotis at mail-abuse.org
Fri Jul 6 22:48:44 PDT 2007
On Jul 6, 2007, at 5:59 PM, Steve Atkins wrote:
>
> On Jul 6, 2007, at 5:31 PM, Douglas Otis wrote:
>
>>
>> On Jul 6, 2007, at 5:19 PM, Steve Atkins wrote:
>>
>>>
>>> On Jul 6, 2007, at 5:09 PM, Dave Crocker wrote:
>>>
>>>> Folks,
>>>>
>>>> I'm not sure whether this fits into SSP or not, since it does
>>>> not seem to require that a record be published. However...
>>>>
>>>> It seems to me that if a message has a DKIM signature and the
>>>> signing domain matches the domain in the rfc2821.MailFrom
>>>> command, then it is safe to generate a bounce message to that
>>>> address.
>>>>
>>>> By 'safe' I mean that one can be confident that the mail will
>>>> not go to an unwitting victim of a spoofed address.
>>>>
>>>> Am I missing something?
>>>
>>> If the mail is sent by dick at earthlink.net (or a virus on their
>>> machine), with an envelope from address of jane at earthlink.net out
>>> through the DKIM stamping earthlink smarthost and you generate a
>>> bounce, that bounce will go to Jane.
>>
>> Earthlink added the signature. This falls into the same category
>> as would any replay problem. Once again, tpa-ssp helps cope with
>> that issue as well.
>
> Why do you consider this a "replay problem" when there is no replay
> involved?
This is a replay problem otherwise the MailFrom path would _not_ be
involved. There is _nothing_ to even suggest Earthlink transmitted
the message to the server bouncing the message.
-Doug
More information about the ietf-dkim
mailing list