>> Isn't the more interesting attack a signature from some throwaway domain >> that covered a matching From: but also contained a From: indicating some >> high-value phish target? > > Not really, no. Signing the From: field means nothing other than that it is > the same as when it was sent. > > I can sign mail with d=blighty.com and "From: [email protected]" without > needing to play any games with multiple headers
Let's say your message has two From lines, one from [email protected], one from [email protected], and you sign the first with d=blurfle.net. Perhaps blurfle.net even publishes discardable ADSP. My concern would be that filtering agents might notice the blurfle header and signature and deem it harmless, but an MUA would show the ebay header. In any event, I think it's reasonable to say that DKIM signers shouldn't sign a message with an extra From or Subject header, and verifiers shouldn't say the signature on such a message is good, even if it validates technically. I dug through my message archives last week, and I don't think I've ever seen a legit message with that flaw, so it's hard to think of a reason to cut such messages any slack. Regards, John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. http://jl.ly _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
