[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Asrg] [Fwd: Yahoo! Mail Publishes Specification for DomainKeys]
Quoting Matthew Elvey (matthew at elvey.com):
>
> DK requires orders of magnitude more
> work to adopt, though not as much as SPF+SRS.
Nod.
>
> DK is about as reliant on blacklists/reputation services as other
> proposals. Without them, CSV is not easier for a spammer to circumvent
> than DK or SPF. They all require that something be put in a DNS entry
> for a domain that costs approximately nothing to put there beyond the
> cost of the domain itself. DKs aren't signed by CAs, remember.
> Exploit: A spammer would have control of the DNS server for the
> responsible domain, and a BotNet spamming node would spam with a valid
> DK. The DK would be in the zombie worm that created the BotNet, or even
> communicated via IRC.
>
> So, I think DK is shown to be about as trivial to circumvent as the 40%
> solution / CSV+++.
Unless I'm missing something I think its even easier to circumvent
and Yahoo! seems to agree:
6.5 Envelope audit
[ To be discussed: Identify the preconditions in the base document
that allow for envelope auditing to protect against replay and
joe-jobs ]
All that is signed is what is received by the signing MTA. Get a
Yahoo! throwaway account. Send email from Yahoo! to yourself at
another account. Strip headers added in transit and you have a DK
signed message that can be wrapped in a new envelope and it will
verify as signed by Yahoo!.
If widely adopted, DK or something like it might go a long way
towards stopping phishing. But the phisher can still register a
domain that looks like paypal.com, valued-paypal-customer.com, and
sign that himself and the naive user will still get sucked into the
fraud.
John Capo
Tuffmail.com
_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg