IETF Logo Mail Archive

Re: [Simple] <note> in IMDN

Eric Burger <eburger@sipforum.org> Fri, 30 May 2008 01:39 UTC

Return-Path: <simple-bounces@ietf.org>
X-Original-To: simple-archive@megatron.ietf.org
Delivered-To: ietfarch-simple-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DC49028C1A1; Thu, 29 May 2008 18:39:07 -0700 (PDT)
X-Original-To: simple@core3.amsl.com
Delivered-To: simple@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 56D4828C16E for <simple@core3.amsl.com>; Thu, 29 May 2008 18:39:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTYhTYD8wuy0 for <simple@core3.amsl.com>; Thu, 29 May 2008 18:39:05 -0700 (PDT)
Received: from sipforum.org (sc-cert.sipforum.org [216.154.220.125]) by core3.amsl.com (Postfix) with ESMTP id 3C9A028C1B1 for <simple@ietf.org>; Thu, 29 May 2008 18:39:05 -0700 (PDT)
Received: from [192.168.15.100] (c-75-68-119-237.hsd1.nh.comcast.net [75.68.119.237]) by sipforum.org (8.13.1/8.13.1) with ESMTP id m4U1clTm010175; Thu, 29 May 2008 21:38:57 -0400
Message-Id: <EAB09349-FF71-4F40-BD97-4DA0CF434CD1@sipforum.org>
From: Eric Burger <eburger@sipforum.org>
To: Dean Willis <dean.willis@softarmor.com>
In-Reply-To: <98C2A548-551C-45D3-BA94-444A4A9E7E70@softarmor.com>
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Thu, 29 May 2008 21:38:50 -0400
References: <1660532724-1210725948-cardhu_decombobulator_blackberry.rim.net-784864713-@bxe033.bisx.prod.on.blackberry> <66cd252f0805131939t6569dab7r45d8ced20471a157@mail.gmail.com> <77384F67-E82C-483C-B555-665BFAF02D4E@standardstrack.com> <66cd252f0805132138m23aa3f42kf01ce0dcb7c42181@mail.gmail.com> <3092F25A-A072-4952-9C44-8C639B1925E2@softarmor.com> <4834C22B.1000407@cisco.com> <AD5C512E-842F-48F3-8824-03EE8A7F7905@sipforum.org> <48374058.3030601@cisco.com> <C06ADE83-1F99-43F5-BC50-DEE465B0F0F5@sipforum.org> <483743F6.8060903@cisco.com> <76ABB500-A11B-4BF3-93CE-85BD6CAD0EC8@sipforum.org> <98C2A548-551C-45D3-BA94-444A4A9E7E70@softarmor.com>
X-Mailer: Apple Mail (2.919.2)
Received-SPF: softfail (sipforum.org: domain of transitioning eburger@sipforum.org does not designate 75.68.119.237 as permitted sender) receiver=sipforum.org; client-ip=75.68.119.237; helo=[192.168.15.100]; envelope-from=eburger@sipforum.org; x-software=spfmilter 0.97 http://www.acme.com/software/spfmilter/ with libspf2-1.0.0;
Cc: simple@ietf.org
Subject: Re: [Simple] <note> in IMDN
X-BeenThere: simple@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP for Instant Messaging and Presence Leveraging Extensions <simple.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/simple>, <mailto:simple-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/simple>
List-Post: <mailto:simple@ietf.org>
List-Help: <mailto:simple-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/simple>, <mailto:simple-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: simple-bounces@ietf.org
Errors-To: simple-bounces@ietf.org

Don't forget the last little bit: not only does it open a vector for  
delivering a spam payload, but it has no value in the white hat case.

On May 29, 2008, at 12:41 PM, Dean Willis wrote:

>
> On May 25, 2008, at 7:57 AM, Eric Burger wrote:
>
>> Almost all of the fields in IMDN are verbatim copies of the IM, which
>> means an automaton can filter spoofed IMDN's.  Just about all of the
>> fields have some protocol semantic value.  However, the <note> field
>> is a spam delivery vector that has no protocol value.  That is my
>> issue with it: no value *and* a method to introduce spam.  That does
>> not sound like a winning combination.
>
> A lot of the spam on the IETF servers comes from forged "bounce"  
> messages. If a message looks like a bounce sent in response to a  
> message that might have come from the IETF list, it is very  
> difficult to weed out. For example, as sip-owner, I get a couple of  
> hundred forged bounce spams a day. Does IMDN share this property? It  
> feels to me like it might. Now personally, I wanted IMDN totally  
> banned from the deliverables; it has proven to be a nightmare in the  
> email world, and I bet it is going to cause us grief. But if we must  
> do it, let's make it as safe as possible.
>
> The unconstrained MIME body is a related problem. Since it is there  
> in an IMDN, it could be populated with stuff of the sender's choosing.
>
> Much more so than some arbitrary quoted-string in a SIP header, a  
> MIME note body (just like a MIME message body) is likely to get  
> parsed out and handed over to the OS-registered handler for the  
> associated MIME type. Many of those handlers have security flaws.
>
> So are we building an attack vector that can't readily be stopped by  
> spam-defense techniques and that is likely to result in malicious  
> code execution? Just how smart is that?
>
> --
> Dean
>
>
>

_______________________________________________
Simple mailing list
Simple@ietf.org
https://www.ietf.org/mailman/listinfo/simple

v2.46.0 | Report a Bug | By Email | System Status