> -----Original Message----- > From: John Levine [mailto:[email protected]] > Sent: Wednesday, October 12, 2011 11:31 PM > To: [email protected] > Cc: Murray S. Kucherawy > Subject: Re: [marf] New Version Notification - > draft-ietf-marf-authfailure-report-03.txt > > >I'm a little worried about the "send one report per authentication > >failure" because if I send a message with twenty bogus signatures > >bearing your domain name, that's an amplification attack. > > I suppose, although if I want to mailbomb you indirectly, it's not > noticably harder to send 20 messages each with one bogus signature. > Until now, all of the major use of ARF was to send back mail to the > actual sender, so you could never get more reports than you sent mail. > This thing solicits reports of mail sent by other people so the risk > of indirect mailbomb is in inherent in it.
Sounds like fodder for Security Considerations then. > >It's covered by "ext-field" in Section 3.5 of RFC5965, isn't it? > > Not if they're supposed to go into the repeating groups. Oops, right. _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
