North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Time to check the rate limits on your mail servers

  • From: Edward B. Dreger
  • Date: Sat Feb 05 12:50:01 2005

TV> Date: Fri, 4 Feb 2005 09:53:07 -0500 (EST)
TV> From: Todd Vierling

TV> The only way to be sure is via cryptographic signature.  Barring that level

False.  You imply that a crypto signature is a perfect guarantee, and
that nothing else can provide equal assurance.

TV> of immediate traceability, SPF provides a very useful data point to that
TV> end (as its *only* purpose is curbing forgery).

SPF says "mail from this domain should only come from these MXes".  It
doesn't stop someone from forging a random @domain.tld address from an
SPF-blessed Everquick MX.  Now, let's say it's known that Everquick MXes
authenticate users and only allow whitelisted "From: " email addresses.

Step 1:  SPF [or similar/better] confirms that the MX is allowed to send
email on behalf of the claimed sender address.  Discard message if it
comes from a bogus MX.

Step 2:  The MX confirms that the user was authorized to use the claimed
sender address.  The message would never have been transmitted had the
user not authenticated with the trusted MX.

Please explain how the "trust chain" does not verify the sending user.
"Malware will steal username/password" is not a valid answer, as the
same can apply equally to crypto keys.

Everquick Internet -
A division of Brotsman & Dreger, Inc. -
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
DO NOT send mail to the following addresses:
[email protected] -*- [email protected] -*- [email protected]
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.