> [mailto:[EMAIL PROTECTED] On Behalf Of Amir Herzberg
> I have only one real reservation. In section 6.3, discussing > the message replay attack, esp. in 2nd paragraph... It is > presented as if DKIM cannot be applied against replay since > replay is indistinguishable from acceptable acts e.g. > forwarding. This is not necessarily true. A legitimate > application of DKIM may require senders to indicate specific > recipient; this would allow replay prevention, of course in > the price of requiring additional support to deal with > legitimate forwarding. Actually I think it might work for the limited set of cases where replay is a spam threat. The replay attack is largely limited to public ISPs, in particular free webmail accounts. It may not be a huge burden to these to sign the recipient list. Recipient lists do get changed in flight of course, forwarders do this. But an intelligent receiver can certainly make some educated guesses and the level of intelligence required is much less than we already require for our existing spam engine. There is also the policy revocation hack I have described. > I'm not suggesting DKIM should be > modified to support that, indeed this is not required at DKIM > level at all, but I think the text now seems to exclude this > usage, and this should be fixed imho. I suggest the text be fixed to say that DKIM does not by itself provide a full and effective control against this attack but may be extended to do so. > Here are few additional, minor comments: > > 1. You use the term `zombie` without definition in p. 2, then > `compromised computers` later (in 5.1)... pick one; my > suggestion: use `zombie` and in the first use, add > `(compromised computers)`. I would use the term 'compromised computers'. The less jargon we use the better, particularly in a technical forum. I was in a recent meeting where people were throwing around the term 'pharming'. Thirty minutes into the meeting I realized that people were using two completely different definitions. > 5. In 5.2.1: last sentence is imho misleading. Such malware > usually/often does not use the email address of the owner of > the infected machine, but selects other email addresses as > sender, to avoid detection. In this case, DKIM may help. I > also think the term `malware` is better than `worm` here. In general I would avoid the terms worm and virus because they are now obsolete. The real threats we see today are blended. Distinguishing between the two categories was always rather bogus, now there is no useful distinction. I am particularly sad to see companies treating anti-spyware as a separate category from anti-virus. It's the same crap, one product should do it all. _______________________________________________ ietf-dkim mailing list http://dkim.org
