[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Anti-spam laws do work, FYI. There's proof.

To: asrg at ietf.org
Subject: Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
From: Tony Finch <dot at dotat.at>
Date: Fri, 30 Jul 2004 18:18:04 +0100
In-reply-to: <20040730160519.GB11544@teal.hjp.at>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <16647.6095.144106.617977@world.std.com> <16647.7492.33917.392408@world.std.com> <16647.14947.204106.850244@world.std.com> <044d01c4747c$b414df50$fa4b10ac@fpcad.fujitsupc.com> <4107954C.3000601@queernet.org> <4107954C.3000601@queernet.org> <E1BqC5Y-0000ut-00@chiark.greenend.org.uk> <E1BqC5Y-0000ut-00@chiark.greenend.org.uk>
Sender: asrg-bounces at ietf.org

"Peter J. Holzer" <hjp-asrg at hjp.at> wrote:
>On 2004-07-29 15:40:56 +0100, Tony Finch wrote:
>> Bill Cole <grsa at billmail.scconsult.com> wrote:
>> >
>> > The original SPF/RMX/DRIP proposals broke forwarders, the mess that
>> > MS has proposed and Yahoo's Domain Keys do not. SPF has a workaround
>> > for forwarders.
>>
>> Incorrect. Sender-ID breaks forwarders just as much as SPF does,
>
>No, because it doesn't inspect the envelope but the headers. By looking
>for headers typically inserted by forwarders it avoids some of the
>breakage of SPF. Of course not all forwarders insert such headers, so
>this won't work in all cases (and I wouldn't try to guess at the
>percentage). OTOH, for this reason Sender-ID is much more expensive than
>SPF.
>
>> and it requires all forwarders to implement a change which is in
>> contradiction to RFC 2822
>
>You mean "must not change or inspect headers except insert a
>Received header"? That's true, but many MTAs already break that
>requirement, so practically, that's not much of a change.

Sender-ID requires forwarders to insert Resent- headers. No existing
forwarders do this. This use of Resent- headers is in contradiction
to RFC 2822.

I don't know why you mention Received: headers -- these have
never been part of the PRA algorithm.

>> The alternative to changing all fowarders is a forwarder whitelisting
>> system which eliminates what little security designated sender schemes
>> alledgedly provide.
>
>Depends on the forwarder. If the forwarder also filters on a designated
>sender scheme, it can be whitelisted without reducing security.

If the forwarder gets a virus infection you've lost any protection
provided by Sender-ID.

>If it doesn't, you could still use the Received header inserted by the
>forwarder instead of the forwarder's IP address (for sender-id you have
>to inspect the headers anyway, so that's only a small additional
>expense).

Believing Received: headers is a security hole. They are frequently forged.

Tony.
-- 
f.a.n.finch  <dot at dotat.at>  http://dotat.at/
RATTRAY HEAD TO BERWICK ON TWEED: VARIABLE 1 TO 3. OCCASIONAL RAIN AND
DRIZZLE, MIST AND FOG PATCHES. MODERATE OR POOR WITH FOG PATCHES. SLIGHT OR
SMOOTH.

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
  - From: Peter J. Holzer

References:
- RE: [Asrg] Anti-spam laws do work, FYI. There's proof.
  - From: Barry Shein
- RE: [Asrg] Anti-spam laws do work, FYI. There's proof.
  - From: Barry Shein
- Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
  - From: Barry Shein
- Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
  - From: George Ou
- Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
  - From: Roger B.A. Klorese
- Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
  - From: Tony Finch
- Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
  - From: Peter J. Holzer

Prev by Date: Re: [Asrg] Re: Why SPF?
Next by Date: Re: [Asrg] Re: Why SPF?
Previous by thread: Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
Next by thread: Re: [Asrg] Anti-spam laws do work, FYI. There's proof.
Index(es):
- Date
- Thread