[ietf-dkim] layer violations, was detecting header mutations after signing

Douglas Otis dotis at mail-abuse.org
Wed Oct 20 10:48:37 PDT 2010 

On 10/20/10 7:27 AM, Alessandro Vesely wrote:
> On 20/Oct/10 13:23, Charles Lindsey wrote:
>> The scam I have described involves the use, by the phisher, of a
>> DKIM-signed (by himself) email with two From: headers, which is intended
>> to fool verifiers into not spotting that the first signature should have
>> triggered an ADSP lookup which would have revealed that the first From:
>> was 'discardable'.
>>
>> Naturally, the phisher signs with a throaway domain that has not yet
>> acquired any reputation, good or bad.
>>
>> Since the scam involves the use of DKIM, and since the only fix I am aware
>> of requires a change to the DKIM standard, then it is highly relevant to
>> the current discussion.
> IMHO, this issue has to be addressed refining the signing spec.  For
> example, the initial paragraph of section 5.4 could be modified so as
> to read:
>
>     The From header field MUST be signed; that is, it MUST be included
>     at least once in the "h=" tag of the resulting DKIM-Signature
>     header field, and SHOULD be included twice (see Section 8.14).  In
>     addition, the signer MUST ensure that at most one instance of the
>     From field actually exists in the header.
>
> The current PS silently assumes that there is a single From, and I
> guess most interoperability and testing has been done in such
> conditions.  Hence an amendment like the text above can be understood
> as a clarification --rather than a change-- of the protocol.
>
> Verifiers would then discard any From field after the first one,
> whether signed or not.  Of course, a combo-verifier is always free to
> return some error due to bad message syntax, even if all signatures
> verify (although I'd consider it cleaner to return non-DKIM errors for
> non-DKIM failures.)
Alessandro,

While this represents a defensive posture that might be used prior to 
DKIM reliably returning PERMFAIL when multiple From header fields are 
contained within the message,  it only thwarts half of the threat 
created by multiple From header fields.   As both Charles and I have 
illustrated:

 From Accounts at Big-Bank.com
 From Someone at Big-IPS.com
Subject: Audit notification
<body of text saying anything>

This message could be sent directly, or distributed by replaying it to 
millions of recipients.

Nothing Big-Bank.com might do with their signing mitigates this variant 
of the double From header field attack.  The ONLY sure method is to 
ensure DKIM always returns PERMFAIL when multiple From header fields are 
detected, whether both or one of them are signed.

-Doug

More information about the ietf-dkim mailing list