[ietf-dkim] Issue: Deployment Guide Section 6.1/6.5 (ADSP/Forwader) conflict
iane at sussex.ac.uk
Fri Oct 23 08:03:31 PDT 2009
--On 23 October 2009 10:29:17 -0400 "John R. Levine" <johnl at iecc.com> wrote:
>>> If, as I suspect, bad guys spoofing their way onto lists past admins
>>> unwilling to do inbound filtering is not an actual problem, perhaps we
>>> could agree not to waste time inventing mechanisms to solve it?
>> I don't think that's what people have been worried about. I think
>> they've been worried about spammers adding list headers to messages, in
>> order to remove the ADSP protection. There's also the possibility of
>> spammers subscribing to lists. Still, a well managed list should have a
>> good reputation, and I don't see much list abuse.
> This strikes me as an even more arcane and implausible threat. Since
> spammers don't add fake list headers to evade filtering now, why would
> they start now?
Well, they won't do it yet. They may start to do it if it becomes hard to
deliver email otherwise. With future widespread MSA, DKIM, ADSP and SPF, I
think it's theoretically possible that all mail could be checked for
authorisation some day. Therefore, spammers will need to look for ways to
sponge off domains with good reputations (newly registered domains won't
have good reputations). Forging list-id headers might be a way to do it.
> Wouldn't the correct response be for lists to sign their mail to help
> recipients recognize real list mail? That has the advantage of requiring
> no changes to any IETF document.
>> I agree that we don't need additional mechanisms, but think we do need
>> better clarity on the distinction betweem dkim=all and dkim=discardable.
> Since ADSP is useless to the 99.99% of domains that are not phish targets
> like Paypal (and probably useless even there), that would be an extremely
> poor use of limited resources. It would be much more useful to help
> people who write and use list software get the lists to sign their mail
> so you can whitelist real list mail from lists you know.
All sites with good email sender reputation are phish targets these days.
We're seeing spear phishing attempts several times per week nowadays.
Success generally results in web mail accounts being used to send 419
scams, or further phishing. Phishers value our accounts enough that they'll
enter an exchange of emails with a user in order to convince the user to
give up a password.
I'm not sure that I can see a business case for anyone else to use our
addresses in From: headers. Certainly not without prior arrangement, and
DKIM delegation can allow that. So, I can see value in ADSP for our site.
Anyway, the point of clarifying the distinction is to prevent people making
the mistake that you seem to be expecting them to make.
IT Services, University of Sussex
For new support requests, see http://www.sussex.ac.uk/its/help/
More information about the ietf-dkim