Re: [Asrg] misconception in SPF

Rich Kulawiec <rsk@gsp.org> Mon, 10 December 2012 14:56 UTC

Return-Path: <rsk@gsp.org>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF4C021F8501 for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 06:56:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.351
X-Spam-Level:
X-Spam-Status: No, score=-6.351 tagged_above=-999 required=5 tests=[AWL=0.248, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nBogog1bn4A1 for <asrg@ietfa.amsl.com>; Mon, 10 Dec 2012 06:56:36 -0800 (PST)
Received: from taos.firemountain.net (taos.firemountain.net [207.114.3.54]) by ietfa.amsl.com (Postfix) with ESMTP id 3F31521F8500 for <asrg@irtf.org>; Mon, 10 Dec 2012 06:56:36 -0800 (PST)
Received: from gsp.org (bltmd-207.114.17.210.dsl.charm.net [207.114.17.210]) by taos.firemountain.net (8.14.5/8.14.5) with ESMTP id qBAEuWEe030944 for <asrg@irtf.org>; Mon, 10 Dec 2012 09:56:34 -0500 (EST)
Date: Mon, 10 Dec 2012 09:56:27 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <20121210145627.GA21217@gsp.org>
References: <20121206212116.10328.qmail@joyce.lan> <50C1A95A.5000001@pscs.co.uk> <50C4A7F8.3010201@dcrocker.net> <CAFdugamTbTirVV2zXKOmc9oTaCS+QiTemhT=jvYJnHYscHQK7g@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACE6D0@ABN-EXCH1A.green.sophos> <20121209213307.D90C12429B@panix5.panix.com> <CAFduganBR_E-ui-3Xbic6F7qSmg1-Q+ideXLvb+1isLz8OF0Nw@mail.gmail.com> <0D79787962F6AE4B84B2CC41FC957D0B20ACFFE1@ABN-EXCH1A.green.sophos> <50C5A9A0.105@pscs.co.uk> <0D79787962F6AE4B84B2CC41FC957D0B20AD01B2@ABN-EXCH1A.green.sophos>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <0D79787962F6AE4B84B2CC41FC957D0B20AD01B2@ABN-EXCH1A.green.sophos>
User-Agent: Mutt/1.5.20 (2009-06-14)
Subject: Re: [Asrg] misconception in SPF
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Dec 2012 14:56:36 -0000

On Mon, Dec 10, 2012 at 01:47:18PM +0000, Martijn Grooten wrote:
> While not all bad things that can happen as a consequence of taking a
> fake email to be real involve clicking links, I agree it would be very
> helpful if we could somehow determine the legitimacy of links at the
> MTA/MUA level.
> 
> However, we can't. [...]

Precisely.  Moreover, there is no way to know that a link L, which is
good/legitimate/wholesome/nutritious at the moment at which some piece
of software examines it, will still be in that state at some later moment
when a user accesses it.  We see examples all day, every day, of sites
that have been hijacked by attackers and now host malicious content where
formerly there was something innocuous.

I think this best approach to solving this problem is not to solve this
problem.  Hmmm...perhaps "best" is a poor choice of words, as what I'm
about to suggest is, in practice, mediocre; but I'll stick with "best"
because I think it's the best available.

To wit: users should never follow "important" links in email.  They
should (for example) bookmark their bank's web site, and *always*
use the bookmark. [1]  Senders should never send "important" links
in email, e.g., banks should not include URLs in their messages.

I'll pause now while you all enjoy a hearty laugh at the prospect
of both of these things happening.

But the serious side is that the problem, as Martijn observes,
is unsolvable with software, so if we want to truly deal with it,
then (shudder) we need to deal with human behavior.

And I really do know how hard that is: I often quote Marcus Ranum's
Six Dumbest Ideas in Computer Security, and "Educating Users" is #5.
But I don't think we have any better alternatives.  Do we?

---rsk

[1] Of course if the bookmark is altered by an attacker, they're
already 0wned, so this is no worse.