[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Trouble with Sender Authentication

To: "K.J. Petrie" <ietf-mxcomp.lists@xxxxxxxxxxxxx>
Subject: Re: Trouble with Sender Authentication
From: Douglas Otis <dotis@xxxxxxxxxxxxxx>
Date: Thu, 2 Nov 2006 14:08:42 -0800
Cc: ietf-mxcomp@xxxxxxx
In-reply-to: <200611021612.13627.ietf-mxcomp.lists@xxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-mxcomp/mail-archive/>
List-id: <ietf-mxcomp.imc.org>
List-unsubscribe: <mailto:ietf-mxcomp-request@imc.org?body=unsubscribe>
References: <200611021612.13627.ietf-mxcomp.lists@xxxxxxxxxxxxx>
Sender: owner-ietf-mxcomp@xxxxxxxxxxxx



On Nov 2, 2006, at 8:12 AM, K.J. Petrie wrote:

SPF, for instance, breaks forwarding. This will stop it catching onwidely, because domain owners are likely to use forwarding fortheir incoming mail.

Forwarding is a problem in any address-path registration scheme.Sender-ID alters rfc2822 by asking for a Resent-From header,superseding either Sender or From headers, to be added by forwardingagents. Those advocating SPF-Classic want the MailFrom altered bythe forwarding agent where the original domain is folded into thelocal-part along with a hash and a time-stamp. DSNs are relayedthrough the last forwarding agent.

There is an alternative to SPF-Classic that uses DKIM signedmessages. An association of the Mail-From domain with that of thesigning-domain can validate the DSN address through an associationscheme.


An association could look something like:

<base32(sha1(signing-domain))>._DKIM-M.<mail-from> TXT "d=signing-domain"


See:
http://tools.ietf.org/wg/dkim/draft-otis-dkim-dosp-02.txt

This scheme assures the DSN address in one reliable and small DNStransaction. There would not be any concerns related to forwardingbreaking an address path registration scheme. An association schemeworks without the cooperation of forwarding agents as well.

And where will that leave us? Back where we started, but withincreased network traffic and DNS load doing useless checks.

It is much worse actually. SPF scripts allow each spam to generatehundreds of targeted DNS transactions using the resources of thoserecipients foolish enough to run these scripts. Poorly conceivedtimeouts in SPF libraries compounds the problem, as this also removescongestion avoidance. SpamAssassin's default timeout is 5 seconds,for example. Any SPF domain can target any other domain with 100 DNStransactions per instance, name, and recipient.


See:
http://www.ietf.org/internet-drafts/draft-otis-spf-dos-exploit-01.txt
 or
http://www.sonic.net/~dougotis/maawg/SPF%20Exploit%20Concerns-maawg.pdf

Certainly, my experience with spam is that, wherever it appears tocome from, there are only five or six basic variants being sentrepeatedly at any one time. Therefore, it is likely all this mailis coming from only five or six real sources which have managed toinfiltrate the Internet at a large number of points. Do we reallyimagine people who do that will be put off by the need to run alittle more automated research?

More than 70% of these messages are introduced from compromisedsystems, often in concert in the tens of thousands. SPF allows forexploits far more nefarious than research.

Identifying spammers (or, more likely, trojanised mailers) andtheir reply websites (or, again more likely, trojanised proxies) isonly as good as the abuse desks which take action, andoverstretched resources take time to close down these gateways. Thespammers know this, and presumably make their profit in theintervening interval, and are always ready to move on. They are theInternet's suitcase boys, standing on a street corner and ready torun when a police officer comes within sight. To make spamming andthe associated activities unprofitable requires an automatedsystem which either cannot be abused, or which punishes abuse sorapidly it cannot be worthwhile.

DKIM always signed by the transmitting entity in conjunction withstandardized opaque identifiers and an opaque-identifier revocationscheme would be a solution that could streamline abuse reportingaimed at eliminating much of the spam.


See:
http://tools.ietf.org/wg/dkim/draft-otis-dkim-security-concerns-01.txt

This list remains available for continued discussions of any MARIDrelated issues. The spf-discuss reflector required participants tofirst agree with the promotion of SPF. An insurmountable barrier forsome. : )

A primary use of SPF is for white-listing bulk senders (otherwisefrequently being block-listed). DKIM in conjunction with an SMTPClient association scheme more reliably fulfills that purpose, wherethe DNS transactions are significantly reduced as well. Whenvalidating the EHLO is first, a DDoS attack is rather improbable.


-Doug

Follow-Ups:
- Re: Trouble with Sender Authentication
  - From: wayne

References:
- Trouble with Sender Authentication
  - From: K.J. Petrie

Prev by Date: Re: Trouble with Sender Authentication
Next by Date: Re: Trouble with Sender Authentication
Previous by thread: Re: Trouble with Sender Authentication
Next by thread: Re: Trouble with Sender Authentication
Index(es):
- Date
- Thread