On 5/19/15 8:25 PM, John Levine wrote: >> The challenge here is that the second signer may not have anything to do >> with >> the message. Since, except for From, only invisible parts of the message >> are >> signed, the signature could be applied to almost any email. Using the >> reputation of the second signer's domain is not substantially different than >> using the reputation of an unauthenticated identity. I don't see how that >> helps. > The second signer has at least enough to do with the message that it > has a real message in hand with permission to re-sign. > > Remember the problem that got us here in the first place: AOL and > Yahoo had security failures that let crooks steal zillions of address > books, who then used botnets to send spam to AOL and Yahoo users that > appeared to be from other AOL and Yahoo users that they knew. The > actual source of the mail had nothing to do with AOL or Yahoo, or any > system that had ever gotten mail from AOL or Yahoo. > > The double signing hack limits the opportunity for trouble to mail > systems that have a recent real message in hand. While I can > certainly imagine spammy scenarios, it's hard to imagine ones that > wouldn't be fairly easy to detect and shut down. If nothing else, if > the original sender gets spam reports about double signed mail (there > are FBLs that key on DKIM signature) it can tell who's screwing > around and stop putting conditional signatures on mail to them. Dear John,
I receive similar levels of spoofed friends who once had accounts with Yahoo and AOL. The phishing now tends to depend on the look and feel of the Display name rather than having an exact domain. In these cases DMARC offers little to no value. Mediators could apply a policy suitable for blocking input failing an initial hop from the DMARC domain. Any subsequent policy would then need to carve out exceptions for mediator domains that their DMARC feedback should clearly identify. Once a two stage policy scheme is facilitated that only the DMARC domain can monitor via their feedback, then only the DMARC domain would be able to spoof one of their own users. If someone cheated, the exceptions to permit these mediators could be immediately retracted. The daisy-chain alternative you proposed provides a DMARC domain less ability to stop bad actors and causes far greater change to email infrastructure for little benefit. A similar regimentation scheme will be needed. I still think this should be published as Sha-1 hash labels, but that optimization seems to make people think it is too complex. People need to think of it like a box of chocolates, you never know what you are going to get. Whatever the answer, it is authoritatively delicious. :^) Regards, Douglas Otis _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
