[ietf-dkim] Fwd: Re: New Issue: protecting a domain name vs.protecting a domain tree

MH Michael Hammer (5304) MHammer at ag.com
Fri Apr 11 09:59:09 PDT 2008 


> -----Original Message-----
> From: ietf-dkim-bounces at mipassoc.org [mailto:ietf-dkim-
> bounces at mipassoc.org] On Behalf Of Charles Lindsey
> Sent: Friday, April 11, 2008 12:10 PM
> To: DKIM
> Subject: [ietf-dkim] Fwd: Re: New Issue: protecting a domain name
> vs.protecting a domain tree
> 
> On Wed, 09 Apr 2008 19:27:27 +0100, Dave Crocker <dhc at dcrocker.net>
wrote:
> 
> > Eric Allman wrote:
> >> Dave, I'm not understanding how the algorithm can work if you omit
step
> >> 2 from section 4.2.2.
> 
> > The attack that you describe requires using some name other than the
one
> > that is
> > listed.  The single, specific name that is listed is, indeed,
> > "protected".
> 
> Sure, if a phisher includes
>       From: info at ebay.com
> then SSP/DKIM will catch him.
> 
> If the phisher includes
>      From: info at ezbay.com
> then we know that SSP/DKIM cannot catch him, and there is not much we
can
> do about that other than to advise phishees to read From headers
_very_
> carefully.
> 
> But if the phsher includes
>       From: info at mailout.ebay.com
> where the domain mailout.ebay.com does not exist, then it needs to be
> caught somehow, since the phishee will look at it _very_ carefully and
> will find it perfectly reasonable (as indeed it is).
> 
> So if we cannot arrange that mailout.ebay.com is not caught by some
> sub-domain mechanism within SSP, then we at leaast need to say,
perhaps
> non-normatively:
> 
> "Although it is impossible to obtain an SSP record for a non-existant
> sub-domain of a protected domain, verifiers might well choose to to
> reject/discard/whatever messages with non-existent domains in From
headers
> as a matter of policy quite separate from their policies arising from
> SSP/DKIM."
> 
> 
> 

This is one of the reasons that I raised the question of whether it is
possible to find the "base" domain (not TLD) that the organization
controls. If this is possible then we may have the ability for ADSP to
assert that all sub-domains in a tree only send mail that is DKIM
signed. If this is not possible to do then I don't know that
non-existent sub-domains can be protected by DKIM/ADSP.

Mike

More information about the ietf-dkim mailing list