[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

] Replay attacks and ISP business models

To: ietf-mailsig@xxxxxxx
Subject: ] Replay attacks and ISP business models
From: Sam Hartman <hartmans-ietf@xxxxxxx>
Date: Mon, 01 Aug 2005 02:33:41 -0400
List-archive: <http://www.imc.org/ietf-mailsig/mail-archive/>
List-id: <ietf-mailsig.imc.org>
List-unsubscribe: <mailto:ietf-mailsig-request@imc.org?body=unsubscribe>
Sender: owner-ietf-mailsig@xxxxxxxxxxxx
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux)

--- Begin Message ---

Hi.   I would like to make it very clear that this message is an
individual technical contribution and I'm not speaking as an AD. 
MIME-Version: 1.0

I'd like to make sure the issue of replays is covered at the BOF and
is something the IETF community considers carefully before approving a
charter for this working group.  I understand this mailing list has
come to accept replays as a cost of DKIM, but I believe that the IETF
as a whole needs to consider that issue.  To be clear, I'm asking for
discussion, not saying I believe DKIM is a bad idea.  I'm fine with an
informed consensus to proceed.

I'd like to remind the list of section 9.5 of the DKIM base draft.

  9.5  Replay Attacks

     In this attack, a spammer sends a message to be spammed to an
        accomplice, which results in the message being signed by the
           originating MTA.  The accomplice resends the message,
        including the
           original signature, to a large number of recipients, possibly
        by
           sending the message to many compromised machines that act as
        MTAs.
           The messages, not having been modified by the accomplice,
        have valid
           signatures.

              Partial solutions to this problem involve the use of
              reputation
                 services to convey the fact that the specific email
              address is being
                 used for spam, and that messages from that signer are
              likely to be
                 spam.  This requires a real-time detection mechanism in
              order to
                 react quickly enough.  However, such measures might be
              prone to
                 abuse, if for example an attacker resent a large number
              of messages
                 received from a victim in order to make them appear to
              be a spammer.



I'd like to ask us to think particularly about the impact of this
attack on business models of medium sized ISPs.  Fundamentally few
people are going to block all mail from AOL,, Yahoo, Gmail or the
like.  However smaller ISPs have been subjected to a wide variety of
problems with various blackhole lists.  Sometimes this was because
they were doing something wrong, sometimes the blackhole lists were
doing something wrong.  There's a lot of debate about where the right
balance is that I would like to avoid.

However there is a similar issue with DKIM.  It's not clear what
policies a medium sized ISP could adopt to avoid being subject to such
an attack.  It's not clear how you could maintain a reputation while
still defaulting to providing service to anyone who wants an account.


Do we care?  Is this acceptable to the operations communities?

--- End Message ---

Follow-Ups:
- Re: ] Replay attacks and ISP business models
  - From: Miles Libbey
- Re: ] Replay attacks and ISP business models
  - From: Tony Finch
- Re: ] Replay attacks and ISP business models
  - From: Michael Thomas
- Re: ] Replay attacks and ISP business models
  - From: Jim Fenton

Prev by Date: Re: Comments on draft-allman-dkim-base-00.txt
Next by Date: Re: DKIM: key identification and shared keys
Previous by thread: Typo in html version of draft-allman-dkim-base-00
Next by thread: Re: ] Replay attacks and ISP business models
Index(es):
- Date
- Thread