IETF Logo Mail Archive

Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review

"Chris Lewis" <clewis@nortel.com> Wed, 27 May 2009 19:17 UTC

Return-Path: <CLEWIS@nortel.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E73B3A6A7E for <asrg@core3.amsl.com>; Wed, 27 May 2009 12:17:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.024
X-Spam-Level:
X-Spam-Status: No, score=-6.024 tagged_above=-999 required=5 tests=[AWL=-0.575, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_CHILDPRN1=1.15]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UiOlnvYED2uh for <asrg@core3.amsl.com>; Wed, 27 May 2009 12:17:02 -0700 (PDT)
Received: from zcars04e.nortel.com (zcars04e.nortel.com [47.129.242.56]) by core3.amsl.com (Postfix) with ESMTP id CE1703A68D7 for <asrg@irtf.org>; Wed, 27 May 2009 12:17:01 -0700 (PDT)
Received: from zrtphxs1.corp.nortel.com (casmtp.ca.nortel.com [47.140.202.46]) by zcars04e.nortel.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id n4RJFsS25266 for <asrg@irtf.org>; Wed, 27 May 2009 19:15:55 GMT
Received: from zrtphx5h0.corp.nortel.com ([47.140.202.65]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 27 May 2009 15:17:01 -0400
Received: from [47.129.150.171] (47.129.150.171) by zrtphx5h0.corp.nortel.com (47.140.202.65) with Microsoft SMTP Server (TLS) id 8.1.340.0; Wed, 27 May 2009 15:17:00 -0400
Message-ID: <4A1D91A5.9040707@nortel.com>
Date: Wed, 27 May 2009 15:16:53 -0400
From: Chris Lewis <clewis@nortel.com>
Organization: Nortel
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090302 Lightning/0.9 Thunderbird/2.0.0.21 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <003d01c9dd01$bf3531d0$800c6f0a@china.huawei.com> <4A1A45BA.5030704@swin.edu.au> <3be421270905250718y5d62f6d5odb6f2bebecf418d0@mail.gmail.com> <4A1D7C8A.5060407@tana.it> <200905271821.OAA20063@Sparkle.Rodents-Montreal.ORG>
In-Reply-To: <200905271821.OAA20063@Sparkle.Rodents-Montreal.ORG>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 27 May 2009 19:17:01.0283 (UTC) FILETIME=[B645E330:01C9DEFF]
Subject: Re: [Asrg] DNS-based Email Sender Authentication Mechanisms: aCritical Review
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 May 2009 19:17:03 -0000

der Mouse wrote:

>> ‘fake bounces’ are sometimes referred to as ‘Joe-job attack’
>>
>> ("backscatter" is also a frequently used term)
> 
> It's not clear from the context available to me whether "fake bounces"
> in the original refers to mail forged to look like bounces, or bounces
> of forged mail.  Neither one is what I understand a joe-job to be: my
> understanding of a joe-job is the attacker forging the victim's domain
> into from fields, either envelope or header.  The bounces resulting
> from sending joe-job mail to nonworking addresses are the second kind
> of "fake bounces", but a joe-job is not the same thing as the fallout
> from a joe-job.  (My understanding of "backscatter" is that it refers
> to the second kind of "fake bounces".  I've also heard/seen it called
> "blowback", though I'm not sure how reasonable that is compared to
> other uses of the word.)

Within context, "fake bounces" is more correctly referring to 
backscatter.  "joe-job" is a different concept altogether, and more 
refers to a specific _intent_ of the forgery.  Not all job-jobs can 
cause backscatter.

As such, "are sometimes referred to as ‘Joe-job attack’" is incorrect.

A "Joe-job" is intended to cause (often purely reputational) harm to the 
joe-jobbee (the forged person).  The message _itself_ may yield no 
direct benefit to the "job-jobber" (the person doing the forgery).

It may not be the From address.  It could be links or the text of the 
email.  Etc.

For example, let's say you got a gmail address, and sent out, without 
faking any addresses, the following email:

--------------------------------------------------
Hi, I'm Chris Lewis, I'm a member of NAMBLA, and am looking for child 
porn.  You can reach me at <my real address>
---------------------------------------------------

This a joe job.  But can't "fake bounce"/backscatter.  Any bounces are 
"real".

Forging the MAIL FROM line to have my real address means that it can 
"fake bounce"/backscatter.  It's still a joe-job too.

Not all "fake bounces"/"backscatter" are joe-jobs and vice-versa.

As a natural consequence of phishing (attempting to fool the recipient 
into giving their credentials away, and the forger derives direct 
benefit from the email), the MAIL FROM address will often be of the 
phished bank.  But it doesn't need to be, and very often isn't.  Of 
course SPF only helps when it _is_ the phished bank in the MAIL FROM 
address (or the phisher is stupid enough to forge some _other_ domain 
that has conflicting SPF).

v2.23.0 | Report a Bug | By Email