lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Fri Dec 30 07:23:14 2005
From: gem at rellim.com (Gary E. Miller)
Subject: Email Security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo Nick!

On Fri, 30 Dec 2005, Nick FitzGerald wrote:

> > Sorry to actually talk about security here, but this has been bugging
> > me for a while.  Check out the headers in the email I just got from
> > this list below.
>
> If you think DomainKeys has anything to do with "security" you either
> have no clue what DomainKeys is and does or what security is...

Well it does authenticate that any email I send was sent from an email
server authorized to send mail for my domain.  Authentication is
certainly not all of security, but it is a part of security.  Any email
NOT DomainKey signed by keys in my DNS did NOT come from me.  Sure it
can be hacked, but so can a 4 digit PIN.  It just does a good enough job
much of the time.

> If you think DomainKeys has anything to do with spam then you clearly
> have no grip on what spam is,

I agree with you and do not think that DomainKeys will really limit spam
at all.  I got 11k+ spam over the Xmas holiday that slipped in under
the 8 point limit I set on SpamAssassin.  Email servers I manage reject
dozens, even hundreds of emails a second as spam.  So I clearly have a
large sample to play with.

I do believe that DomainKeys will limit blow-back.  I have medium sized
email servers that get 4x more bounces than email sent!  That is because
the spammers use those domain names to forge totally made up From
addresses.

Then a lot of stupid mail servers bounce the spam back to me instead of
refusing it in the first place or shoving it back to the real sender.
If those idiot admins could use DomainKeys they would know to just trash
that email and not send it back to me.  Sadly I know most of them will
never bother to maintain their email server, but we gotta try.

Another advantage of DomainKeys will be that I can finally trust my
whitelist again.  My personal domain whitelist used to work real well.
Then the spammers used email addresses pilfered from my friends address
books and the whitelist lost much of its usefulness.  I may not be able to
trust yahoo.com to not send spam, but I trust that if yahoo signs an
email for a yahoo address that is my friends then it is likely legit
email.

As soon as some mailing lists, like FD, get DomainKeys right then I
would encourage any mail server getting email purportedly from me that
is not properly DomainKey signed to discard it with prejudice.  That
alone would stop a lot of tech support calls about how I keep sending
out virii.

Yes I would rather folks check out the gpg signing I always use.  I
would like it if I could send more gpg encrypted emails.  But for some
reason it has not caught on.  If we can get something simple widely
deployed then we can educate folks to want the good stuff later on.

> why we have it and the totally trivial
> "fix" the major spammers will make to totally subvert DomainKeys (and
> SPF and Sender ID and all other weak "authentication" methods suggested
> by morons who want to stop spam but have equally little grip as you on
> what spam is and why we have it).

Yes, it is an arms race.  I have my RBLs, my DCC, my Razor, my Pyzor,
my TMDA, my SpamAssassin and each worked for a little while until some
of the Spammers figured out how to end run them.  For now, when I add a
DomainKey check to my SA rules the quality of the spam filtering goes
up a little.  If more people sign it will go up a bit more.  I'll take
whatever I can get.

When I take the filters down for an hour I get a huge number of
complaints, and my inbox gets flooded, so I know they still do a lot of
good.  Each one is flawed, but when taken as a whole it all helps.

Still, I would be interested to hear how you can spoof my DomainKeys.
Please educate us.  Better yet, send me an email that pretends to be
from me with a valid DomainKey.  If their is a hole in the proposed RFC
lets find out about it now.

RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Blvd, Suite E-3, Bend, OR 97701
	gem@...lim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDtOBT8KZibdeR3qURAnWtAJwNhEr2DP9lDsmirJ5peynu2fHp/ACfbk/g
fA5NqOey6+DbJ3TDcEJwu5w=
=WBYa
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ