John R. Levine wrote: > I dunno what that tells us, other than that whatever attack is enabled by > duplicated headers, it doesn't appear to have happened yet.
Maybe it has and it is the best kept secret loophole by spammers and spoofers. Maybe there should be more research into the site mail archives to see how much of this was among us fooling users for a long time. Maybe it slowed down as the larger ISPs or ESPs began to filter invalid RFC 822, 2822/5322 messages like gmail.com does now. But then again, gmail.com is relatively new entry. I can tell you that in our 25+ year old mail package which was the top 5 BBS mail packages in the 80s and early 90s never looked for this as far as I recall and only recently I added a server script to check for it after discovering why Alt-N modified their API to check for the multiple non-hashed From: headers. Alt-N input on this was they did not see any evidence of wide usage other than the fact it was a customer report and they updated their DKIM API to add a "new requirement" for verification - all 5322.From must be hashed. That is why the President Obama message got into here. It had two 5322.From headers which was signed by my system when it sent the message to Dave's system. Dave's system validated the double from and resigned without hesitation. However when I sent the double from without a valid signature, it barfed the message. What your research shows the problem is REAL. What we don't know is how much it has effected the end-users as part the phishing and spoofing schemes because I will venture that most systems do not check for this. Thanks to DKIM - now they will and for the legacy systems adding a DKIM standalone component, the DKIM component MUST also check for this loophole. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html