Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
Alessandro Vesely <vesely@tana.it> Wed, 27 May 2009 17:47 UTC
Return-Path: <vesely@tana.it>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C0143A6C76 for <asrg@core3.amsl.com>; Wed, 27 May 2009 10:47:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.341
X-Spam-Level:
X-Spam-Status: No, score=-0.341 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, URIBL_GREY=0.25]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w8oX92WE8cYq for <asrg@core3.amsl.com>; Wed, 27 May 2009 10:47:46 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id 44B653A6E58 for <asrg@irtf.org>; Wed, 27 May 2009 10:46:15 -0700 (PDT)
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 ale@tana.it, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by wmail.tana.it with esmtp; Wed, 27 May 2009 19:46:30 +0200 id 00000000005DC039.000000004A1D7C76.00004B4C
Message-ID: <4A1D7C8A.5060407@tana.it>
Date: Wed, 27 May 2009 19:46:50 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <003d01c9dd01$bf3531d0$800c6f0a@china.huawei.com> <4A1A45BA.5030704@swin.edu.au> <3be421270905250718y5d62f6d5odb6f2bebecf418d0@mail.gmail.com>
In-Reply-To: <3be421270905250718y5d62f6d5odb6f2bebecf418d0@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2009 17:47:48 -0000
Amir Herzberg wrote: > http://amir.herzberg.googlepages.com/somerecentpapers. I've marked a number of snippets where reading faltered. Most of them are typos or language doubts (my English barely supports me) while some may stir some discussion... I just paste that stuff below, hoping some of it may help you better your paper. format: "---" snippet empty-line "(" comment ")" --- extremely low-cost, especially when sending ‘bulk’ mail (formally incorrect, the cost doesn't usually decrease with scale) --- Spam: there are different definitions of spam; we use the term spam to refer to email sent to many recipients (‘bulk’), who have not expressed desire to receive it. (This also includes "legal" advertising, with variations on the extent to which providing one's email address expresses the desire to receive advertisements. Zombie-based spam is a different beast) --- These mechanisms use the DNS system (in different ways), to securely identify the sender (drop /securely/...) --- SIDF: The Sender-ID Framework (SDIF) (typo) --- In particular, we make the following observations and recommendations (Perhaps s/particular/conclusion/? All observation are unjustified at this point. It is not obvious for a reader whether this is an executive's summary and the recommendations will be derived later. BTW, I'd suggest to relegate part of the introductory material to some appendixes, so as to get to the core without interruptions) --- There is also a side-benefit: eliminating unnecessary filtering, esp. the computationally intensive and imprecise content-based filtering. (This stance disagrees with the recommendation "Do not filter emails based solely on SPF, DKIM and/or SIDF failures" a few lines below. The side-benefit is probably limited to _help_ eliminating content-based filtering...) --- it is recommended that senders would mark their use of SPF in the email envelope, (How? Possibly using VHLO or other non-standard protocol extension?) --- e.g. www.foo.org. (www.example.com is more canonical) --- an the top is a set of root DNS (typo, an=and) --- Reverse DNS (rDNS) record [...] However, notice that small organizations [...] ownership of the corresponding rDNS entries. (s/However, notice that/Depending on the "reseller",/: When choosing an ISP for connecting a mail server, would you recommend to consider how do they arrange for rDNS and whois? Also, s/ownership/delegation/. Isn't it worth to mention "PTR"?) --- Blacklist DNS records (should note that DNSBL are not authoritative/hierarchical) --- DNS Security. The DNS provides an open directory service[...] ("DNS vulnerabilities" may be a more appropriate subtitle) --- Bob’s MUA, MUABob, picks up email from the MDA. (formally incorrect, it picks it up from the mailbox where the MDA delivered it.) --- When the MUA is an application running on the same machine as the MDA, mail pickup is done via the file system. (not necessarily; in addition, MDAs may run LMTP or any other network transport) --- either using either an appropriate web-mail form, or using a mail pickup protocol, typically either (too many "either", rewording is advisable) --- S/MIME [27] and OpenPGP [12], use public key encryption and signatures to provide end-to-end protection of the confidentiality and authenticity of email (Not necessarily end-to-end: I've heard of ESPs who crypt messages at the MDA stage, in order to grant confidentiality to their IMAP mailbox storage. It may be mentioned that eavesdropper who work at the ESP's are difficult to guard against, if the question or trusting one's ESP is raised.) --- but can do use a fake domain (is "can do" syntactically correct?) --- claiming to be an outgoing MTA of a.com (formally incorrect, SMTP doesn't allow a sender to say whose domain it belongs to --again, unless using VHLO) --- cannot do not have (is that syntactically correct?) --- cannot intercept the ISN sent by the other party, therefore it can only guess the (RFC1948 is of 1996, Vulnerability Note VU#498440 is of 2002, so TCP should now be safe. However, RFC 3552 of 2003 still considers blind attacks... Is it because old hardware may still be vulnerable?) --- not all companies and ISPs enforce port 25 blocking. (This is a good occasion to recommend port 587) --- SPF validation is performed using the email address specified by the sending MTA in the HELO directive, identifying the domain that the sending MTA belongs to. ("email address" is formally incorrect, EHLO specifies a host name) --- which IP addresses it intents to use (typo) --- spf1.0 +IP4 : 1:2:3:4 all (typos) --- The receiving mail agent (MUA or MTA) evaluates the terms (Here you assume that MUAs can learn IP addresses parsing the Received headers and then carry out SPF checks --see discussion with Doug) --- aa.bb.cc= 1.2.3.4 (typo) --- Fig. 2 (The policy says ~all, different than the text) --- if Bob is an MTA and transfers the email (if Bob's MTA accepts the email message) --- ‘fake bounces’ are sometimes referred to as ‘Joe-job attack’ ("backscatter" is also a frequently used term) --- However, this implies that the recipient will consider this email as originating from foo.org. (formally incorrect, most recipients consider the "From" header instead) --- This will allow the recipient to avoid ‘false positives’ (incorrectly blocking valid mail for spam/phishing) (SPF checking is typically done at the MAIL FROM stage, much before Authentication-results has a chance of being evaluated) --- the receivers still have to make two DNS queries. (didactic style requires to explain they are one for TXT and one for SPF) --- we can place the policy record in an arbitrary DNS record controlled by the sender (this proposal to change the SPF specs should be identified as such; BTW, rewriting rfc4408 is somewhat overdue) --- retrieving the policy record policy from DNS. (typo) --- One clear conclusion here is that the receiving MTA should use a dedicated DNS proxy (Well, this is a good advice also for performance reasons. However, it is not clear if you intend to suggest using multiple DNS proxies, e.g. a different one for outgoing mail, host maintenance and auto upgrades, nearby clients, etcetera.) --- Based on experimental works on phishing [10, 16], we low detection rates (who is "we"?) --- SIDF records specify the relevant identifier (or identifiers) by the MFROM and PRA keywords (Those keywords define the so-called "scope" of SIDF checking. Using such term may result in better wording of the following text, where it is explained that incompatibility stems from defining an incompatible default scope) --- In addition, both proposals required complex key-management (key-management is never simple. Certainly, it is not because of that complexity that so few clients can handle PGP. The fact is that classical encryption has been retrofitted, while DKIM is email-born. They can be viewed as complementary, though) --- these standards do not define how a sender can specify that all of its email is signed (Instead of "specify", terms such as "announce" or "publish" are not misunderstood as operative configuration rules) --- (d) support for signing email headers (what about "support for signing a signer-chosen selection of email headers"?) --- 19. Kucherawy, M.: Message Header Field for Indicating Message Authentication Status. Internet draft draft-kucherawy-sender-auth-header-15 (2008) (this is now RFC 5451, April 2009)
- [Asrg] DNS-based Email Sender Authentication Mech… Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Dave CROCKER
- Re: [Asrg] DNS-based Email Sender Authentication … Steve Atkins
- [Asrg] 答复: DNS-based Email Sender Authentication … Sean Shen
- Re: [Asrg] ´ð¸´: DNS-based Email Sender Authentic… grenville armitage
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] ´ð¸´: DNS-based Email Sender Authentic… Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … John Leslie
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNS-based Email Sender Authentication … Jose-Marcio Martins da Cruz
- Re: [Asrg] DNS-based Email Sender Authentication … Alessandro Vesely
- Re: [Asrg] DNS-based Email Sender Authentication … Dave CROCKER
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] DNS-based Email Sender Authentication … Alessandro Vesely
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … der Mouse
- Re: [Asrg] rDNS Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Chris Lewis
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … John Levine
- [Asrg] DNS over SCTP (was: Re: DNS-based Email Se… Alessandro Vesely
- Re: [Asrg] rDNS Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… SM
- Re: [Asrg] DNS over SCTP Douglas Otis
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] rDNS Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] DNS over SCTP Alessandro Vesely
- Re: [Asrg] rDNS der Mouse
- Re: [Asrg] DNS-based Email Sender Authentication … Florian Weimer
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS over SCTP Douglas Otis
- Re: [Asrg] rDNS discrimination Alessandro Vesely
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… Stephane Bortzmeyer
- Re: [Asrg] DNS over SCTP Stephane Bortzmeyer
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Thierry Moreau
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Masataka Ohta
- Re: [Asrg] DNS over SCTP Michael Tüxen
- Re: [Asrg] DNS over SCTP Paul Wouters
- Re: [Asrg] DNS over SCTP (was: Re: DNS-based Emai… Francis Dupont
- Re: [Asrg] DNS over SCTP Francis Dupont
- Re: [Asrg] DNS over SCTP David Conrad
- Re: [Asrg] DNS over SCTP Francis Dupont
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Bill Manning
- Re: [Asrg] DNS-based Email Sender Authentication … Florian Weimer
- Re: [Asrg] DNSSEC is NOT secure end to end Francis Dupont
- Re: [Asrg] DNSSEC is NOT secure end to end Christian Huitema
- Re: [Asrg] DNS-based Email Sender Authentication … Douglas Otis
- Re: [Asrg] DNS-based Email Sender Authentication … Amir Herzberg
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Richard Barnes
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Richard Barnes
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Thierry Moreau
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Thierry Moreau
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Mark Andrews
- Re: [Asrg] DNSSEC is NOT secure end to end (more … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Christian Huitema
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Doug Otis
- Re: [Asrg] DNSSEC is NOT secure end to end Paul Wouters
- Re: [Asrg] DNSSEC is NOT secure end to end Doug Otis
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- [Asrg] RISC is end to end (was Re: DNSSEC is NOT … Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end David Wilson
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end Masataka Ohta
- Re: [Asrg] DNSSEC is NOT secure end to end der Mouse
- Re: [Asrg] DNS over SCTP Alessandro Vesely