[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ] Replay attacks and ISP business models
- To: Sam Hartman <hartmans-ietf@xxxxxxx>
- Subject: Re: ] Replay attacks and ISP business models
- From: Michael Thomas <mike@xxxxxxxx>
- Date: Mon, 01 Aug 2005 12:33:51 -0700
- Authentication-results: fasolt.mtcc.com; header.From=mike@mtcc.com; dkim=pass ( message from mtcc.com verified; );
- Cc: ietf-mailsig@xxxxxxx
- Dkim-signature: a=rsa-sha1; q=dns; l=1848; t=1122924833; x=1123357033; c=nowsp; s=nebraska; h=Subject:From:Date; d=mtcc.com; i=mike@mtcc.com; z=Subject:Re=3A=20]=20Replay=20attacks=20and=20ISP=20business=20models| From:Michael=20Thomas=20<mike@mtcc.com>| Date:Mon,=2001=20Aug=202005=2012=3A33=3A51=20-0700; b=CCHxFR46T2BXTf8WpBVf4JuAccv/AJbfxkJQS3Y34DkQRmzQ0fVBYZwVyG7+4LhQFsuzooX8 upQZi6GFrmtSSA==;
- In-reply-to: <>
- List-archive: <http://www.imc.org/ietf-mailsig/mail-archive/>
- List-id: <ietf-mailsig.imc.org>
- List-unsubscribe: <mailto:ietf-mailsig-request@imc.org?body=unsubscribe>
- References: <>
- Sender: owner-ietf-mailsig@xxxxxxxxxxxx
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050324 Thunderbird/1.0.2 Fedora/1.0.2-1.3.2 Mnenhy/0.7.2.0
Sam Hartman wrote:
I'd like to ask us to think particularly about the impact of this
attack on business models of medium sized ISPs. Fundamentally few
people are going to block all mail from AOL,, Yahoo, Gmail or the
like. However smaller ISPs have been subjected to a wide variety of
problems with various blackhole lists. Sometimes this was because
they were doing something wrong, sometimes the blackhole lists were
doing something wrong. There's a lot of debate about where the right
balance is that I would like to avoid.
Are you implying that this problem wouldn't crop up
without the "replay" problem? I expect that it would,
although I'd hope we're past many of the teething pains
given the existance of RBL's for quite some time now.
However there is a similar issue with DKIM. It's not clear what
policies a medium sized ISP could adopt to avoid being subject to such
an attack. It's not clear how you could maintain a reputation while
still defaulting to providing service to anyone who wants an account.
I would expect that outgoing spam filtering ought to be the
norm for ISP's. I don't believe that's currently the case (?).
And in particular, an ISP may want to *really* dial up the
filters for new and/or quiescent accounts. And I don't think
that this is just an ISP problem: zombied machines in enterprise
could lead to negative reputation too.
There's also room for further work in this area too in the
area of accreditation. Note also that DKIM has an expirey
on the signature, so there is at least some time horizon
for an individual attack.
Do we care? Is this acceptable to the operations communities?
Yes, at least I care. What's not entirely clear to me is whether
this a new attack per se, or just a permutation of an old one.
Lots of spam is relayed through ISP MTA's today. Those MTA's doing
outbound filtering would help a lot regardless of whether DKIM is
around or not. DKIM seems to me to help the incentive to do that
kind of policing. A wildcard is that I believe that some ISP's
are not allowed to block outgoing mail (European?). This might
put them in an untenable position even if they have good remediation
procedures. I have some thoughts here, but I'm afraid I might be
out in the weeds.
Mike