(I've noticed the "rechartering" thread, but I don't think it should squelch this since I am speaking meta to the replay exploit, not suggesting technical measures.)
More than a hundred e-mails have streamed through my in-box lately, all about a silly exploit in DKIM. While it is real, I immediately notice that it can't really do any damage if the recipient is using DKIM *properly*. It's important to remember that DKIM/DMARC is an anti-forgery protocol, not an anti-spam protocol. There are *two* ways an anti-forgery technique can provide useful input to an anti-spam system: First, if the anti-forgery technique can assert that a message *is* forged, and not just failing the test because the alleged sender isn't participating, then it is reasonable to ignore any heuristics indicating the message is not spam, and fail it. Second, if the anti-forgery technique asserts the message is genuine, and *YOU* *KNOW* *THE* *RECIPIENT* *TRUSTS* *THAT* *SPECIFIC* *SENDER*, then it is reasonable to ignore any heuristics indicating the message is spam, and pass it. Going further is folly. Without trust in the identity claimed, all anti-forgery-system blessings just become Habeas Haikus (anyone remember that?). Last I looked, DMARC makes no allowance for the mailing list problem; either you know none of your users posts to any mailing list or your DMARC policy has to be inert. Practically, only an address from a public e-mail provider can be "forged" by the hack. And those providers cannot assume they have no users who use mailing lists, so (if sane) their DMARC will always be inert. Even if someone attemped the exploit but accidentally still broke the signature, the hard-failure case would never apply. The spammer has to at least momentarily control the address he uses as From: -- he cannot forge someone his victim trusts (Unless the e-mail provider is lazy and doesn't check for internal address forgery before signing, which would be their fault alone). So the hard-success case will also never apply on exploit mail. It's only fools who can't accept the truth that DKIM can only give anti-spam input for a miniscule proportion of incoming mail, and thus upscore all signed mail, who have to fear this hack. And if this hack was miraculously blocked, they'd still be wide open to more straightforward spammers. Ones who pay for their own domain and happily participate in every antiforgery scheme. ---- Michael Deutschmann <[email protected]> _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
