[ale] Gmail accepts spam when you use email forwarding
    Brandon Checketts 
    brandon at brandonchecketts.com
       
    Tue Dec 15 13:23:00 EST 2009
    
    
  
I don't believe that DKIM is subject to the same problem.
DKIM provides a cryptographic signature to validate the sender of a message.  If
it says it is from somebody at freecreditreport.com, you can be pretty certain that
it is, in fact, from that user. (Unless a private key is compromised, etc).  You
can then reliably build a reputation system around that specific address or domain.
The DKIM signature validates the message body, as well as several headers
(Sender, From, Date, etc).  It can go through any number of intermediary mail
servers and the signature will remain valid (provided of course that the
intermediary mail server doesn't tamper with any of those headers or the message
body)
Thanks,
Brandon Checketts
On 12/15/2009 12:11 PM, Jim Popovitch wrote:
> DKIM is just as much as a problem.  Google/Yahoo/Hotmail can only
> trust the header lines that they themselves inject.  A spammer can set
> any header line and DKIM sign the email and send it from a host with
> proper SPF, happens all the time (look no further than free credit
> report spam).
> 
> -Jim P.
> 
> On 2009-12-15, Brandon Checketts <brandon at brandonchecketts.com> wrote:
>> This is a weakness of SPF, and why Google, Yahoo, and others are
>> championing DKIM.
>>
>> Also, remember that attempts at sender validation (ie: SPF and DKIM)
>> don't indicate whether a message is spam or not (spammers can use them
>> too).  It just makes it possible to build a reputation based on the
>> sender address.
>>
>> Thanks,
>> Brandon Checketts
>>
>>
>>
>> Jim Popovitch wrote:
>>> >From Google's perspective, Line 08 could always be spoofed so Google
>>> only relies on what Google knows to be true.
>>>
>>> -Jim P.
>>>
>>> On 2009-12-15, Richard Bronosky <Richard at bronosky.com> wrote:
>>>> Let me know if Google is in the wrong, or I am crazy.
>>>> What I have is a postfix server on slicehost that I use solely for the
>>>> purpose setting up @bronosky.com email forwarders for members of my
>>>> family, and as an outgoing mail server (which I have Gmail using!).
>>>> Most of us are using Gmail now, but some of the stragglers are still
>>>> on Hotmail or Yahoo!. For the past week 15 times a day I have been
>>>> receiving and reporting as spam the same message (nearly) with very
>>>> similar heads.
>>>>
>>>> line01: Delivered-To: richardbronosky at gmail.com
>>>> line02: Received: by 10.220.108.106 with SMTP id e42cs49574vcp; Tue,
>>>> 15 Dec 2009 00:24:04 -0800 (PST)
>>>> line03: Received: by 10.216.90.196 with SMTP id
>>>> e46mr2408469wef.194.1260865444149; Tue, 15 Dec 2009 00:24:04 -0800
>>>> (PST)
>>>> line04: Return-Path: <nmike at bronosky.com>
>>>> line05: Received: from slice1.bronosky.com (slice1.bronosky.com
>>>> [174.143.204.116]) by mx.google.com with ESMTP id
>>>> t12si19704611gvd.5.2009.12.15.00.24.02; Tue, 15 Dec 2009 00:24:03
>>>> -0800 (PST)
>>>> line06: Received-SPF: pass (google.com: best guess record for domain
>>>> of nmike at bronosky.com designates 174.143.204.116 as permitted sender)
>>>> client-ip=174.143.204.116;
>>>> line07: Authentication-Results: mx.google.com; spf=pass (google.com:
>>>> best guess record for domain of nmike at bronosky.com designates
>>>> 174.143.204.116 as permitted sender) smtp.mail=nmike at bronosky.com
>>>> line08: Received: from alixpartners.com (unknown [116.68.243.172]) by
>>>> slice1.bronosky.com (Postfix) with SMTP id 6D0A017643 for
>>>> <deadmail at bronosky.com>; Tue, 15 Dec 2009 08:26:44 +0000 (UTC)
>>>> line09: From: VIAGRA ® Reseller <deadmail at bronosky.com>
>>>> line10: To: deadmail at bronosky.com
>>>> line11: Subject: Deal of the Day: Save 76%
>>>> line12: MIME-Version: 1.0
>>>> line13: Content-Type: text/html; charset="ISO-8859-1"
>>>> line14: Content-Transfer-Encoding: 7bit
>>>> line15: Message-Id: <20091215082645.6D0A017643 at slice1.bronosky.com>
>>>> line16: Date: Tue, 15 Dec 2009 08:26:44 +0000 (UTC)
>>>>
>>>> the part that really sucks are line06 and line07. All mail for
>>>> @bronosky.com is going to come to Google forwarded from
>>>> slice1.bronosky.com because that's the way it is. Where I believe
>>>> Google is goofing up is that they are SPF checking the IP from line05
>>>> instead of the IP from line08. So, the trick to spamming any Gmail
>>>> user who forwards from another domain is the set the From: header to
>>>> an address @ that domain. Seems like a huge fail to me.
>>>>
>>>> Please opine.
>>>>
>>>> --
>>>> .!# RichardBronosky #!.
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>>>
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
    
    
More information about the Ale
mailing list