[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ietf
Subject:    The DSN exploit
From:       Douglas Otis <dotis () mail-abuse ! org>
Date:       2005-12-20 2:14:31
Message-ID: 304804E0-1AB7-4280-B77B-B0F50FB0F82F () mail-abuse ! org
[Download RAW message or body]


On Dec 19, 2005, at 2:28 PM, Frank Ellermann wrote:

> Disrupting v=spf1 at this point also spells doom for SMTP.  What  
> we'll now get is SMPT-3, a new SMTP without most NDNs.  Only a few  
> pockets of resistance with an SPF sender policy will still say that  
> NDNs are good IFF you reject SPF FAILs.

Perhaps not.

Return-paths with a unique tag could mitigate a too common DSN  
exploit used to evade source filtering.  Ensuring an auto-response  
adopts consistent conventions where return-paths use either "MAILER- 
DAEMON@*" or "<>" addresses, and where return-path tag removal  
happens at the MDA when delivered (or published into on-line  
archives) would improve upon the success of this strategy.  Part of  
this tag may carry tracking information that could be used to locate  
sources of replay abuse.  (DKIM will suffer similar problems.)

Rather than hoping for critical mass or strategies to coerce adoption  
by a substantial portion of email domain owners, the domain  
implementing the return-path tagging reaps benefits immediately,  
allowing incremental adoption.  Tagging does not demand an inordinate  
overhead be imposed upon the recipient which could deter valid DSNs.   
Even checking the "authorization" address lists will often be found  
open-ended.  Authorization may also unfairly shift the burdens  
created by open-ended gaps onto the email address domain owner,  
rather than the actual sender.

With respect to offering more discriminate source identification,  
ensuring EHLO verification by a single DNS lookup could resolve much  
of the collateral issues associated with the use of the remote IP  
address as the source identifier.  A lightweight name-based  
reputation check may also leverage the granularity offered by DKIM.

(Who knows, perhaps the same public-key used to sign the message  
could also sign a portion of the domain name and the /29 of the IP  
address.  Only a single lookup would then be needed for both.) : )

-Doug






_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic