Full Disclosure mailing list archives
Re: Email Security
From: "Gary E. Miller" <gem () rellim com>
Date: Thu, 29 Dec 2005 23:22:55 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yo Nick! On Fri, 30 Dec 2005, Nick FitzGerald wrote:
Sorry to actually talk about security here, but this has been bugging me for a while. Check out the headers in the email I just got from this list below.If you think DomainKeys has anything to do with "security" you either have no clue what DomainKeys is and does or what security is...
Well it does authenticate that any email I send was sent from an email server authorized to send mail for my domain. Authentication is certainly not all of security, but it is a part of security. Any email NOT DomainKey signed by keys in my DNS did NOT come from me. Sure it can be hacked, but so can a 4 digit PIN. It just does a good enough job much of the time.
If you think DomainKeys has anything to do with spam then you clearly have no grip on what spam is,
I agree with you and do not think that DomainKeys will really limit spam at all. I got 11k+ spam over the Xmas holiday that slipped in under the 8 point limit I set on SpamAssassin. Email servers I manage reject dozens, even hundreds of emails a second as spam. So I clearly have a large sample to play with. I do believe that DomainKeys will limit blow-back. I have medium sized email servers that get 4x more bounces than email sent! That is because the spammers use those domain names to forge totally made up From addresses. Then a lot of stupid mail servers bounce the spam back to me instead of refusing it in the first place or shoving it back to the real sender. If those idiot admins could use DomainKeys they would know to just trash that email and not send it back to me. Sadly I know most of them will never bother to maintain their email server, but we gotta try. Another advantage of DomainKeys will be that I can finally trust my whitelist again. My personal domain whitelist used to work real well. Then the spammers used email addresses pilfered from my friends address books and the whitelist lost much of its usefulness. I may not be able to trust yahoo.com to not send spam, but I trust that if yahoo signs an email for a yahoo address that is my friends then it is likely legit email. As soon as some mailing lists, like FD, get DomainKeys right then I would encourage any mail server getting email purportedly from me that is not properly DomainKey signed to discard it with prejudice. That alone would stop a lot of tech support calls about how I keep sending out virii. Yes I would rather folks check out the gpg signing I always use. I would like it if I could send more gpg encrypted emails. But for some reason it has not caught on. If we can get something simple widely deployed then we can educate folks to want the good stuff later on.
why we have it and the totally trivial "fix" the major spammers will make to totally subvert DomainKeys (and SPF and Sender ID and all other weak "authentication" methods suggested by morons who want to stop spam but have equally little grip as you on what spam is and why we have it).
Yes, it is an arms race. I have my RBLs, my DCC, my Razor, my Pyzor, my TMDA, my SpamAssassin and each worked for a little while until some of the Spammers figured out how to end run them. For now, when I add a DomainKey check to my SA rules the quality of the spam filtering goes up a little. If more people sign it will go up a bit more. I'll take whatever I can get. When I take the filters down for an hour I get a huge number of complaints, and my inbox gets flooded, so I know they still do a lot of good. Each one is flawed, but when taken as a whole it all helps. Still, I would be interested to hear how you can spoof my DomainKeys. Please educate us. Better yet, send me an email that pretends to be from me with a valid DomainKey. If their is a hole in the proposed RFC lets find out about it now. RGDS GARY - --------------------------------------------------------------------------- Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701 gem () rellim com Tel:+1(541)382-8588 Fax: +1(541)382-8676 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDtOBT8KZibdeR3qURAnWtAJwNhEr2DP9lDsmirJ5peynu2fHp/ACfbk/g fA5NqOey6+DbJ3TDcEJwu5w= =WBYa -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Email Security Gary E. Miller (Dec 29)
- Re: Email Security Nick FitzGerald (Dec 29)
- Re: Email Security Gary E. Miller (Dec 29)
- Re: Email Security Nick FitzGerald (Dec 29)