[Asrg] DKIM role?

Ian Eiloart iane at sussex.ac.uk
Mon Jan 5 07:22:02 PST 2009 


--On 22 November 2008 08:43:21 -0500 Rich Kulawiec <rsk at gsp.org> wrote:

> On Thu, Nov 20, 2008 at 02:33:51PM +0000, Ian Eiloart wrote:
>> The only thing that matters is that you can reach the system
>> administrator for the domain that sent the email.  Then you can assign
>> reputation to the domain, and even to the email address used.
>
> But you can do that today -- well, by IP address, at least, which is
> (as we've seen from the use of DNSBLs) nearly always good enough to
> make accept/deny decisions WRT email.

But that's not good enough. In fact it's crap. If I want to whitelist an 
organisation, I can't do it because there's no principled way in which I 
can know what IP address they're using to send email. I need to be able to 
whitelist the domain. As long as there's nothing to stop people spoofing 
the domain, the

>
> And *please* let's not try to assign reputations to individual email
> addresses, as the scalability problems involved in N users with M email
> addresses trying to track reputations of N users with M addresses,
> given that N is on the order of 10e9, are awful.

You don't have to have centralised reputation management for that. I can 
manage my own address based reputation database, once I know that email 
from a given address really is coming from the owner.

>
>> happens from there on is down to local policy - it'll depend on whether
>> the domain belongs to an ISP, a university, an individual, or whatever.
>> But, you'll be able to hold the domain admin responsible for the email.
>
> I see what you're saying but we can do this *today* by IP address (and
> thus by extension) by network.  In fact: we ARE doing it, and have been
> for a long time.  It works quite well, without the need to invent and
> deploy any new technology.

Well, it kind of works, but really really poorly. I've had business 
requests to whitelist certain domains and always resisted them because 
whitelisting a domain would simply open a hole in my anti-spamming measures.

> Given that it's trivially easy to change domains (spammers go through
> them by the thousands, and ICANN seems quite intent on making this even
> easier and cheaper for them)

That's irrelevant to whitelisting. And, reputation is earned so new domains 
have to work to build reputation.

>  but much more difficult to forge IP addresses
> and change networks, it seems much better for anti-spam purposes to
> focus on addresses and networks, and not on domains.
>
> But there's a more fundamental problem at work here.
>
> We have to take into account the presence of a few hundred million
> 0wned systems -- whose new owners have the ability to immediately take
> possession of any authentication credentials used on them, should
> it please them to do so.
>
> So although we frequently refer to spam as "the problem", it's not
> the problem -- it's merely a symptom of the problem.

So, actually we've got two problems, given that SMTP has no mechanism for 
assigning accountability. Sure, endpoint security needs addressing, but 
part of the solution could be to reduce the attraction of 0wning systems by 
preventing those systems from spoofing sender addresses.

> The problem is
> a serious and fundamental lack of security on a very large number of
> network endpoints.  That problem remains unaddressed except in token
> fashion, which is why it continues to get worse with no sign
> of any turnaround in the forseeable future.  (And multiple signs that
> it could get much worse, i.e., the inclusion of DRM in popular OS
> releases, meaning they're pre-compromised at the factory, so to speak.)
>
> Sure, we could argue "go ahead and do it anyway", but I think that's
> not a good idea.  The enemy reads these lists and the RFCs and the code,
> too, and has long since demonstrated the capacity to wait until
> something's deployed, then begin to exploit it.  This is, by the way, one
> of my deep concerns with anti-forgery technologies: it's my opinion that
> widespread deployment of one will be followed shortly thereafter with
> widespread exploitation: see "few hundred million 0wned systems" above,
> and note that the absence of any reason to think that corporate or ISP or
> government or university or any other networks are free of these. I'm
> worried that if we begin deploying technology that trains users to
> believe that email is REALLY from who/where it claims to be from, that
> they will eventually accept that training...at which point forgeries
> become much more dangerous than they are now, when we're training users
> never to believe that anything is from who/where it claims to be.

That's bogus. They already do believe that, in my experience.

>
> ---Rsk
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> https://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
x3148

More information about the Asrg mailing list