On 5/6/15 6:44 AM, MH Michael Hammer (5304) wrote: >> -----Original Message----- >> From: dmarc [mailto:[email protected]] On Behalf Of Stephen J. >> Turnbull >> Sent: Wednesday, May 06, 2015 4:23 AM >> To: Scott Kitterman >> Cc: [email protected] >> Subject: Re: [dmarc-ietf] OpenDKIM ADSP, DMARC and ATPS support >> >> Scott Kitterman writes: >> >> > Approximately as soon as list-id enables DMARC bypass, >> >> It never will. (BTW, it's List-Post that's relevant.) It's the >> subscriber's action >> of posting to the list that enables the bypass. >> That means that a successful attack of the kind that triggered the April >> Fiasco >> requires an iterated phish: first you have to phish *me* to post to your >> list, >> then you need to modify my post to phish *Murray*. >> >> If you have an alternative threat model in mind, please explain it. >> > One that comes to mind immediately is compromise existing list(s) (MLM) used > by target audience and then modify posts as desired. It may be that the > modification would be for only one or a few recipients. > > I'm sure there are other mechanisms if a little thought is put into it. Dear Mike,
Any mail sent from a DMARC domain where content is not vetted can serve to phish anyone. Remember, DKIM does not constrain the number of replays or who are the eventual recipients. A phishing risk primarily relates to visual appearances. As such, typical appearances gives most mailing-lists that are not DMARC compatible high marks by tagging the Subject header field and adding headers or footers. The real problem in using double signature schemes is expiry will be long enough to support significantly large campaigns that can't be stopped even after being detected unless DKIM signatures are pulled. Then of course, this creates nasty DNS handling issues and potentially high levels of collateral damage. At least with TPA-Label, the DMARC domain remains in control using fairly static TPA-Label zones. The TPA-Label zone can be separate from the zones used for everything else by the DMARC domain which can act as a natural source for domain reputation managed directly or indirectly by the sending domain. You'd be amazed how little resources this strategy requires. Regards, Douglas Otis _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
