The DSN exploit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Dec 19, 2005, at 2:28 PM, Frank Ellermann wrote:

Disrupting v=spf1 at this point also spells doom for SMTP. What we'll now get is SMPT-3, a new SMTP without most NDNs. Only a few pockets of resistance with an SPF sender policy will still say that NDNs are good IFF you reject SPF FAILs.

Perhaps not.

Return-paths with a unique tag could mitigate a too common DSN exploit used to evade source filtering. Ensuring an auto-response adopts consistent conventions where return-paths use either "MAILER- DAEMON@*" or "<>" addresses, and where return-path tag removal happens at the MDA when delivered (or published into on-line archives) would improve upon the success of this strategy. Part of this tag may carry tracking information that could be used to locate sources of replay abuse. (DKIM will suffer similar problems.)

Rather than hoping for critical mass or strategies to coerce adoption by a substantial portion of email domain owners, the domain implementing the return-path tagging reaps benefits immediately, allowing incremental adoption. Tagging does not demand an inordinate overhead be imposed upon the recipient which could deter valid DSNs. Even checking the "authorization" address lists will often be found open-ended. Authorization may also unfairly shift the burdens created by open-ended gaps onto the email address domain owner, rather than the actual sender.

With respect to offering more discriminate source identification, ensuring EHLO verification by a single DNS lookup could resolve much of the collateral issues associated with the use of the remote IP address as the source identifier. A lightweight name-based reputation check may also leverage the granularity offered by DKIM.

(Who knows, perhaps the same public-key used to sign the message could also sign a portion of the domain name and the /29 of the IP address. Only a single lookup would then be needed for both.) : )

-Doug






_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]