funsec mailing list archives
Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups)
From: Rich Kulawiec <rsk () gsp org>
Date: Tue, 20 Oct 2009 07:24:43 -0400
On Mon, Oct 19, 2009 at 09:09:09AM -0400, Larry Seltzer wrote:
All such [sender-authentication] systems have *already* been defeatedby The Bad Guys.... When was DKIM defeated?
Well before it was launched: the existence of the zombies (and thus the corresponding number of compromised sets of mail credentials) means that attackers can forge messages at will. Merely DKIM-signing them at an outbound gateway provides no assurance at all that they actually are from who they claim to be from. (And this is presuming that the gateway system itself isn't zombie'd, which of course some of them are.) And as to whether or not a sending host is legitimate, once you disqualify all hosts without rDNS, all hosts without matching DNS/rDNS, and all hosts with generic/dynamic rDNS, what's left is almost always recognizable as correct/incorrect based on rDNS alone. In other words, when I get spam from n6b.bullet.mail.tp2.yahoo.com, as I quite often do thanks to Yahoo's incompetence and negligence, I really don't need DKIM to tell me that yes, it really did come from them. The bottom line is that -- at the moment -- email forgery cannot be solved, no matter what technology is deployed, because the underlying infrastructure is rotten to the core. ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups), (continued)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Michael Collins (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) der Mouse (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Rich Kulawiec (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Larry Seltzer (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Nick FitzGerald (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Rich Kulawiec (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) G. D. Fuego (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Valdis . Kletnieks (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Nick FitzGerald (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Rich Kulawiec (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups) Rich Kulawiec (Oct 20)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) chris (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Rich Kulawiec (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Nick FitzGerald (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) chris (Oct 19)
- Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Rich Kulawiec (Oct 17)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Michael Collins (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 13)
- Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Michael Collins (Oct 13)
- Re: dumb. Comcast pop-ups Toralv_Dirro (Oct 10)