IETF Logo Mail Archive

Re: [ietf-822] one can re-sign without a permission to re-sign header

Ned Freed <ned.freed@mrochek.com> Sat, 26 April 2014 14:43 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: ietf-822@ietfa.amsl.com
Delivered-To: ietf-822@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1469B1A0656 for <ietf-822@ietfa.amsl.com>; Sat, 26 Apr 2014 07:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.274
X-Spam-Level:
X-Spam-Status: No, score=-2.274 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.272, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rya-NAK-A-Tw for <ietf-822@ietfa.amsl.com>; Sat, 26 Apr 2014 07:43:48 -0700 (PDT)
Received: from mauve.mrochek.com (mauve.mrochek.com [66.159.242.17]) by ietfa.amsl.com (Postfix) with ESMTP id 017C51A0691 for <ietf-822@ietf.org>; Sat, 26 Apr 2014 07:43:48 -0700 (PDT)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01P73EQNV2K0000T9F@mauve.mrochek.com> for ietf-822@ietf.org; Sat, 26 Apr 2014 07:38:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mrochek.com; s=mauve; t=1398523119; bh=PisAcD/+e40J5XThqt85xWAmgwo3AfjS4Z8AZvdwcyc=; h=Cc:Date:From:Subject:In-reply-to:References:To; b=Rt1TI263ePHfmCqsZBl3biCsD2dz2GWHt2/+sKSHAKm4BJ+pzesxY3UesW3EaU+8n kOfUzrj57JxW9RU24YSlwoJUnOAVXSHbZMr6rwcUprPXrjmYg95WwAX74uAo1gY9bR i66WDxp/IebeULDrJyyKmPWoG/27XRx4MmEbwPdI=
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET="iso-8859-1"
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01P714CWLY4W000052@mauve.mrochek.com>; Sat, 26 Apr 2014 07:38:36 -0700 (PDT)
Message-id: <01P73EQM1PKQ000052@mauve.mrochek.com>
Date: Sat, 26 Apr 2014 07:24:24 -0700
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Sat, 26 Apr 2014 12:31:35 +0200" <535B8B07.6090307@tana.it>
References: <535646AA.2080400@pscs.co.uk> <20140422202403.42908.qmail@joyce.lan> <01P6Y9IJSOEG000052@mauve.mrochek.com> <535B8B07.6090307@tana.it>
To: Alessandro Vesely <vesely@tana.it>
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf-822/yuog4BbKq5BEoNXTJ-U0-re-zyg
Cc: ietf-822@ietf.org
Subject: Re: [ietf-822] one can re-sign without a permission to re-sign header
X-BeenThere: ietf-822@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion of issues related to Internet Message Format \[RFC 822, RFC 2822, RFC 5322\]" <ietf-822.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf-822/>
List-Post: <mailto:ietf-822@ietf.org>
List-Help: <mailto:ietf-822-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-822>, <mailto:ietf-822-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Apr 2014 14:43:50 -0000

s> On Wed 23/Apr/2014 00:13:15 +0200 Ned Freed wrote:
> > [...]
> >>> I know people think I'm wrong, but I think it needs to be looked at a
> >>> different way. As a recipient, I don't want 'proof' that this message
> >>> came from Alessandro, I want 'proof' that it came from the
> >>> ietf-822@ietf.org mailing list.
> >
> >> I think you're right.
> >
> > I concur as well.

> Eh?  I agree a /receiver/ can do a better job by considering mailing
> list messages as an already filtered/moderated mail stream, rather
> than a collection of independent messages.  Talking domain-level
> authentication, even the local part is irrelevant.  As a /recipient/,
> however, the list where a message came from, ietf-822, ietf-smtp, or
> whatever, is a rather circumstantial attribute of a message.  I
> obviously care much more about who says what in which thread...

You're conflating completely different things here. We're talking about
assessing the validity of a message, not about the value of the content of
different valid messages.

And the fact is that essentially every mailing list I'm on - and I'm on a lot
of them run by a lot of different organizations - is very good at blocking junk
mail. As such, knowing that a message came from one of the lists I'm on - even
if I don't recognize the person posting or the topic they're posting about - is
more than enough to tell me that the message isn't garbage.

And not to be catty or anything, but this indicator is far more reliable than
getting a DKIM-signed message from, say, yahoo.com or aol.com. Indeed, on this
point, the SANS Digest had this to say about the situation at AOL:

  --AOL Locks Down Servers After Spam Deluge
  (April 22 & 23, 2014)
  Users have recently noticed a higher than usual volume of spam coming
  from AOL email addresses. AOL has now locked down its email servers to
  quell a spoof attack that is generating large quantities of spam. AOL
  has implemented a more stringent email validation process that instructs
  mailbox providers to reject email that appears to be associated with an
  AOL domain if the message did not originate from an AOL server. Reports
  also say that AOL Mail was breached and some accounts hijacked.
  http://www.theregister.co.uk/2014/04/23/aol_mail_locks_down_email_servers_to_deal_with_tsunami_of_spam/
  http://www.cnet.com/news/aol-imposes-stricter-email-rules-to-stem-spoofing-attack/
  http://threatpost.com/aol-email-hacked-by-spoofers-to-send-spam/105629   
  [Editor's Note (Murray): Received one from a neighbor and one from a
  family member on the same day.  I see these often enough that I have a
  standard reply.  "If you did not send the message below, your e-mail
  account may be compromised. Please change your password.  Recipients of
  your message who clicked on the embedded URL may have compromised their
  systems."]

Like Murray, I see these messages often enough that I have a standard reply to
them.

> >> I've said for years that lists should sign their mail with their
> >> own DKIM keys, and recipients should look at those list
> >> signatures to filter the mail.
> >
> > I'm not even sure that's necessary, but of course it can't hurt.
> > Indeed, right now, with the exception of IETF lists, having a
> > signature makes the odds it's spam more, not less, likely.

> SPF authentication covers most subscribers, but not those who have
> their mail forwarded to different sites (unless the forwarders use
> SRS).  DKIM signatures survive forwarding.

Sometimes they do, sometimes they don't. Depends on a lot of factors.

> Neither method is useful
> for DMARC because the domain being authenticated is that of the
> mailing list, which is aligned with "To:" rather than "From:".

> Is it possible to introduce "To:" as a _secondary identifier_ in the
> DMARC mechanism?  In that case a weak DKIM signature could be the
> element which authorizes receivers to use the secondary identifier.

Maybe, but I doubt very much this would be useful. Indeed, the reason we're in
this mess is because DMARC attaches semantic restrictions to the From: field.
Attaching more semantics to more header fields does not seem like a move in the
right direction to me. I'd much rather pursue Pete's approach.

				Ned

v2.23.0 | Report a Bug | By Email