On Mon, Oct 19, 2009 at 09:09:09AM -0400, Larry Seltzer wrote: > >> All such [sender-authentication] systems have *already* been defeated > by The Bad Guys.... > > When was DKIM defeated?
Well before it was launched: the existence of the zombies (and thus the corresponding number of compromised sets of mail credentials) means that attackers can forge messages at will. Merely DKIM-signing them at an outbound gateway provides no assurance at all that they actually are from who they claim to be from. (And this is presuming that the gateway system itself isn't zombie'd, which of course some of them are.) And as to whether or not a sending host is legitimate, once you disqualify all hosts without rDNS, all hosts without matching DNS/rDNS, and all hosts with generic/dynamic rDNS, what's left is almost always recognizable as correct/incorrect based on rDNS alone. In other words, when I get spam from n6b.bullet.mail.tp2.yahoo.com, as I quite often do thanks to Yahoo's incompetence and negligence, I really don't need DKIM to tell me that yes, it really did come from them. The bottom line is that -- at the moment -- email forgery cannot be solved, no matter what technology is deployed, because the underlying infrastructure is rotten to the core. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
