Brandon Long writes:
> I like the "in-band optimizer" since it gives me more
> confidence... but maybe that's being naive as well, if they
> compromise a domain to get on our whitelist, are they really going
> to be deterred in working around a weak signature?
Once they've compromised a domain on your whitelist, they can send as
much spam as they like to pretty much anywhere as long as they don't
care if the actual recipient is a visible addressee (they can't change
To: or Cc: without breaking the signature). They can, of course, send
to any visible recipient as well. You could sign From: in the token
signature, which would restrict them to a specific author as well.
If you're worried about that (and I think compromise of delegate
domains is a genuine worry), there are a number of mitigations you
could apply as a mailbox provider.
1. Sign From: in the token signature so that the abuser can't spoof
arbitrary users in your domain. This may break some mailing
lists, but all of the use cases I know of put a mailbox not in
your domain in there anyway.
2. Make your users register the addresses they want to delegate to.
(You'll actually delegate to the domain, of course, but you'll
only sign for those addresses, not others at that domain.) Always
use explicit delegate lists, containing only registered addresses.
3. Check that those addresses are mailing lists (you can do this in
the guise of helping users register by checking for List-Post in
their incoming traffic, then offering those lists at registration
time). As Hector points out in a different thread, mailing lists
are probably the main use case for DKIM-Delegate, since it's not
possible to have a valid DKIM-Delegate field in an "on behalf of"
message originating at a third party.
4. Restrict to one addressee (total) for delegated mail, to avoid
providing any acquaintance information in the addressees except
the list itself.
Of course, this doesn't restrict abusers from spamming/phishing anybody
they want (they only need one copy of message signed at the delegate
domain to arrive at their botnet, then they can send it verbatim), but
(1) it appears to be a specific list's post, which makes it easy for
victims (or their mailbox providers) to filter in the future (To and
Cc should be signed, of course), (2) for almost all recipients (ie,
anybody who didn't subscribe to the list) they won't recognize any
recipients, so the probability of content-based filtering becomes
*much* higher, (3) the user in From: is also almost certainly unknown
to anybody who isn't a genuine subscriber to the list, bumping the
probability of filtering again, I would think, and (4) although your
user appears in "From:", the security breach is clearly at the list
domain, not your fault (this last is purely PR, of course, it doesn't
make anybody who gets spam that spoofs your user feel better).
Also, the token signature expires fairly quickly, so the spammers will
need to be continuously harvesting list domains. But the 30,000
list-providing domains are probably much harder targets than the
3,000,000,000 user contact lists.
Taken altogether, I think this raises spammer costs a lot, and
probably weakens the contact-list-based attack dramatically.
Steve
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
