Re: Public Policy and Consumer ISP Hygiene(was Comcastpop-ups)

[Rich Kulawiec <rsk () gsp org>]

On Mon, Oct 19, 2009 at 09:09:09AM -0400, Larry Seltzer wrote:
> > > All such [sender-authentication] systems have *already* been defeated
> by The Bad Guys....
>
> When was DKIM defeated? 

Well before it was launched: the existence of the zombies (and thus
the corresponding number of compromised sets of mail credentials) means
that attackers can forge messages at will.  Merely DKIM-signing them at
an outbound gateway provides no assurance at all that they actually
are from who they claim to be from.  (And this is presuming that the
gateway system itself isn't zombie'd, which of course some of them are.)

And as to whether or not a sending host is legitimate, once you disqualify
all hosts without rDNS, all hosts without matching DNS/rDNS, and all hosts
with generic/dynamic rDNS, what's left is almost always recognizable as
correct/incorrect based on rDNS alone.  In other words, when I get spam
from n6b.bullet.mail.tp2.yahoo.com, as I quite often do thanks to Yahoo's
incompetence and negligence, I really don't need DKIM to tell me that
yes, it really did come from them.

The bottom line is that -- at the moment -- email forgery cannot be
solved, no matter what technology is deployed, because the underlying
infrastructure is rotten to the core.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.