The hacker does not need access to my zone, he just attaches a lookalike header yes " And to have *any* rule that allows bypass of defense based upon the receipt of a header from outside your control is extremely dangerous." But folks will do it anyway
Bill Oxley Messaging Engineer Cox Communications, Inc. Alpharetta GA 404-847-6397 [EMAIL PROTECTED] -----Original Message----- From: Michael Thomas [mailto:[EMAIL PROTECTED] Sent: Tuesday, January 31, 2006 12:08 PM To: Oxley, Bill (CCI-Atlanta) Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] New Issue: 4.2 needs new Attack Item: InconsistentSignature vs Policy Attacks [EMAIL PROTECTED] wrote: > If I do not publish any key records and a bad actor whips up an email > purported to be from me with a fake signature attached, a non dkim > compliant mta may have a rule that states "signed messages are probably > okay" that might bypass some spam checking software. Before DKIM is > fully adopted/deployed expect to see this happen, Unless the attacker also has access to your zone, they won't be able to insert their key into it, and thus the signature will never verify. And to have *any* rule that allows bypass of defense based upon the receipt of a header from outside your control is extremely dangerous. It would be nothing better than a security-through-obscurity backdoor. Mike _______________________________________________ ietf-dkim mailing list http://dkim.org
