'Re: [Full-disclosure] Email Security'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Email Security
From:       "Gary E. Miller" <gem () rellim ! com>
Date:       2005-12-30 7:22:55
Message-ID: Pine.LNX.4.64.0512292242350.885 () catbert ! rellim ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Nick!

On Fri, 30 Dec 2005, Nick FitzGerald wrote:

> > Sorry to actually talk about security here, but this has been bugging
> > me for a while.  Check out the headers in the email I just got from
> > this list below.
>
> If you think DomainKeys has anything to do with "security" you either
> have no clue what DomainKeys is and does or what security is...

Well it does authenticate that any email I send was sent from an email
server authorized to send mail for my domain.  Authentication is
certainly not all of security, but it is a part of security.  Any email
NOT DomainKey signed by keys in my DNS did NOT come from me.  Sure it
can be hacked, but so can a 4 digit PIN.  It just does a good enough job
much of the time.

> If you think DomainKeys has anything to do with spam then you clearly
> have no grip on what spam is,

I agree with you and do not think that DomainKeys will really limit spam
at all.  I got 11k+ spam over the Xmas holiday that slipped in under
the 8 point limit I set on SpamAssassin.  Email servers I manage reject
dozens, even hundreds of emails a second as spam.  So I clearly have a
large sample to play with.

I do believe that DomainKeys will limit blow-back.  I have medium sized
email servers that get 4x more bounces than email sent!  That is because
the spammers use those domain names to forge totally made up From
addresses.

Then a lot of stupid mail servers bounce the spam back to me instead of
refusing it in the first place or shoving it back to the real sender.
If those idiot admins could use DomainKeys they would know to just trash
that email and not send it back to me.  Sadly I know most of them will
never bother to maintain their email server, but we gotta try.

Another advantage of DomainKeys will be that I can finally trust my
whitelist again.  My personal domain whitelist used to work real well.
Then the spammers used email addresses pilfered from my friends address
books and the whitelist lost much of its usefulness.  I may not be able to
trust yahoo.com to not send spam, but I trust that if yahoo signs an
email for a yahoo address that is my friends then it is likely legit
email.

As soon as some mailing lists, like FD, get DomainKeys right then I
would encourage any mail server getting email purportedly from me that
is not properly DomainKey signed to discard it with prejudice.  That
alone would stop a lot of tech support calls about how I keep sending
out virii.

Yes I would rather folks check out the gpg signing I always use.  I
would like it if I could send more gpg encrypted emails.  But for some
reason it has not caught on.  If we can get something simple widely
deployed then we can educate folks to want the good stuff later on.

> why we have it and the totally trivial
> "fix" the major spammers will make to totally subvert DomainKeys (and
> SPF and Sender ID and all other weak "authentication" methods suggested
> by morons who want to stop spam but have equally little grip as you on
> what spam is and why we have it).

Yes, it is an arms race.  I have my RBLs, my DCC, my Razor, my Pyzor,
my TMDA, my SpamAssassin and each worked for a little while until some
of the Spammers figured out how to end run them.  For now, when I add a
DomainKey check to my SA rules the quality of the spam filtering goes
up a little.  If more people sign it will go up a bit more.  I'll take
whatever I can get.

When I take the filters down for an hour I get a huge number of
complaints, and my inbox gets flooded, so I know they still do a lot of
good.  Each one is flawed, but when taken as a whole it all helps.

Still, I would be interested to hear how you can spoof my DomainKeys.
Please educate us.  Better yet, send me an email that pretends to be
from me with a valid DomainKey.  If their is a hole in the proposed RFC
lets find out about it now.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
	gem@rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDtOBT8KZibdeR3qURAnWtAJwNhEr2DP9lDsmirJ5peynu2fHp/ACfbk/g
fA5NqOey6+DbJ3TDcEJwu5w=
=WBYa
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic