Internet DRAFT - draft-otis-dkim-threats

draft-otis-dkim-threats






pre-workgroup                                                    D. Otis
Internet-Draft                                         Trend Micro, NSSG
Expires: April 27, 2006                                 October 24, 2005


 Review of Threats Associated with Email and DomainKeys Identified Mail
                                 (DKIM)
                       draft-otis-dkim-threats-01

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 27, 2006.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   This document is intended to provide an alternative perspective to
   the document prepared by Jim Fenton for DomainKeys Identified Mail
   (DKIM), although it borrows from his substantial effort.  This review
   removes emphasis on email-address domains, as DKIM allows signatures
   to be independent of the email-address.  This document also considers
   the impact of adding an opaque-identifier and implementing abusive
   message replay abatement.  This document considers threats against
   Internet mail and threats created when employing a signature-based



Otis                     Expires April 27, 2006                 [Page 1]

Internet-Draft             Email+DKIM threats               October 2005


   method for establishing an accountable domain for a message, in
   particular DKIM.  This document also ranks threat levels, modes of
   access, Bad Actors and their capabilities, and possible motivations
   for various attack scenarios.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Scope of DKIM  . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Vulnerabilities  . . . . . . . . . . . . . . . . . . . . . . .  4
   4.  Security Requirements  . . . . . . . . . . . . . . . . . . . .  7
   5.  Ranking of Bad Actors  . . . . . . . . . . . . . . . . . . . .  7
   6.  Capabilities of Bad Actors . . . . . . . . . . . . . . . . . .  8
     6.1   General capabilities . . . . . . . . . . . . . . . . . . .  8
     6.2   Advanced capabilities  . . . . . . . . . . . . . . . . . .  9
   7.  Bad Actor's Points of Access . . . . . . . . . . . . . . . . .  9
     7.1   Bad Actors with Access in the Administrative Unit  . . . . 10
       7.1.1   Access in the Signing-Domain's Administrative Unit . . 10
       7.1.2   Access in the Recipient's Administrative Unit  . . . . 10
     7.2   Bad Actors with External Access  . . . . . . . . . . . . . 11
   8.  Representative Bad Acts  . . . . . . . . . . . . . . . . . . . 11
     8.1   Use of Arbitrary Identities  . . . . . . . . . . . . . . . 11
     8.2   Use of Specific Identities . . . . . . . . . . . . . . . . 12
       8.2.1   Exploitation of Social Relationships . . . . . . . . . 12
       8.2.2   Identity-Related Fraud . . . . . . . . . . . . . . . . 12
       8.2.3   Reputation Attacks . . . . . . . . . . . . . . . . . . 13
   9.  Attacks on Message Signing . . . . . . . . . . . . . . . . . . 13
     9.1   DoS Attack . . . . . . . . . . . . . . . . . . . . . . . . 13
     9.2   Invalid Signatures . . . . . . . . . . . . . . . . . . . . 14
       9.2.1   Canonicalization and Message Normalization . . . . . . 14
     9.3   Body Length Parameter  . . . . . . . . . . . . . . . . . . 14
     9.4   Multiple Signatures  . . . . . . . . . . . . . . . . . . . 14
     9.5   Use of "throw-away" domains  . . . . . . . . . . . . . . . 15
     9.6   Message Replay Attack  . . . . . . . . . . . . . . . . . . 16
   10.   Threats to Delivery  . . . . . . . . . . . . . . . . . . . . 19
   11.   Urgent Response to Threats for Consumer Protections  . . . . 19
     11.1  Restricted Two-Party Communication . . . . . . . . . . . . 19
     11.2  Unrestricted Multiple-Party Communication  . . . . . . . . 20
     11.3  Opportunistic Protection without Domain-wide Policy
           Assertions . . . . . . . . . . . . . . . . . . . . . . . . 20
   12.   Sender Signing Policy  . . . . . . . . . . . . . . . . . . . 21
   13.   IANA Considerations  . . . . . . . . . . . . . . . . . . . . 23
   14.   Security Considerations  . . . . . . . . . . . . . . . . . . 23
   15.   References . . . . . . . . . . . . . . . . . . . . . . . . . 23
     15.1  Normative References . . . . . . . . . . . . . . . . . . . 23
     15.2  Informative References . . . . . . . . . . . . . . . . . . 24
       Author's Address . . . . . . . . . . . . . . . . . . . . . . . 24
       Intellectual Property and Copyright Statements . . . . . . . . 25



Otis                     Expires April 27, 2006                 [Page 2]

Internet-Draft             Email+DKIM threats               October 2005


1.  Introduction

   Message signing, as exemplified by DomainKeys Identified Mail (DKIM)
   [I-D.allman-dkim-base], is a mechanism to allow an assertion of an
   accountable domain for an email message in transit.  The assertion is
   made by means of a digital signature included within a header.  This
   signature also validates the integrity of selected headers and
   message body content subsequent to signing the message.  This review
   is based upon the work of Jim Fenton, but differs from the
   perspectives regarding the role of an email-address and how replay,
   intra-domain, and DoS attacks may be handled.

   For example, on the DKIM list Jim suggested Sender-ID's path-
   registration and authorization mechanism could be a possible solution
   for a message replay abuse problem.  Unfortunately path-registration
   imposes upon DKIM problematic limitations that would also be very
   disruptive.  Path-registration would also essentially constrain
   mailbox-addresses to specific providers.  In addition, path-
   registration already exposes email-address domain owners to risks
   where path authorization may form the basis for accrual of unfair
   reputations.  Within shared environments, requisite checks to ensure
   email-address domain exclusivity may not have been made.  Such checks
   may be beyond the control of the email-address domain owner, while
   those who are in control remain unaccounted.

   With DKIM, once an accountable domain has been established for a
   message and where the reputation of this domain can be defended, the
   recipient may assess the reputation accrued by the signing-domain
   when deciding whether to accept the message.  This assessment can be
   made using locally-maintained white-lists, and reputation/
   accreditation services.  By applying a signature, the conduct
   permitted by the signing-domain may be accurately accrued to
   establish a valid reputation.  Good conduct is generally maintained
   when there are expectations that future messages will be accepted by
   the recipient from the signing-domain.

2.  Scope of DKIM

   DKIM verifies the association of a specific domain with a message
   using a signature and a public key.  This mechanism also ensures
   selected headers and body content have not been altered since the
   domain's association.  The DKIM effort is not intended to address
   threats associated with message confidentiality nor provide a
   signature suitable for long-term archival.  The scope of DKIM does
   not include semantics for reputation or accreditation services or
   white-listing practices.  DKIM does not provide a direct method to
   verify the identity of a message's author.  DKIM does not provide
   safe mechanisms for authorizing messages associated with different



Otis                     Expires April 27, 2006                 [Page 3]

Internet-Draft             Email+DKIM threats               October 2005


   domain signatures.

3.  Vulnerabilities

   Email is exposed to several security related threats where
   exploitation of a vulnerability often results in substantial damages.
   The following table provides a general overview of vulnerabilities
   and side-effects created by defensive strategies.

+------------------------+---------------------+------------+----------+
|      Vulnerability     |        Damage       | Prevalence | Severity |
+------------------------+---------------------+------------+----------+
|   Unfair Reputations   |   Loss of Service   |     Low    |  Medium  |
| Collateral IP Blocking |   Loss of Service   |     Low    |  Medium  |
|    Filtering Errors    |   Loss of Service   |     Low    |  Medium  |
|       Junk Folder      |   Loss of Service   |     Low    |  Medium  |
|     Delete w/o DSN     |   Loss of Service   |     Low    |  Medium  |
|           DoS          |   Loss of Service   |     Low    |  Medium  |
|      Name Blocking     |   Loss of Service   |     Low    |   High   |
|    Message Spoofing    |    Defrauded User   |   Medium   |   High   |
|        OS Flaws        |  Compromised System |   Medium   |   High   |
|    Stolen Passwords    | Compromised Account |   Medium   |   High   |
|    Malware Payloads    |  Compromised System |    High    |   High   |
|     Timing Analysis    |   Compromised Key   |     Low    |   High   |
|    Network Exploits    | Compromised Privacy |     Low    |   High   |
+------------------------+---------------------+------------+----------+

   An Unfair Reputation regards assessments made against the email-
   address.  These unfair assessments may occur when the email-address
   domain owner is assumed to control the use of their email-address
   domain.  The email-address domain owner may have been obliged to
   authorize the shared systems of a service provider when registering
   prescribed email paths.  Checks are often not performed by an
   unaccounted provider that should ensure only the owner is able to
   utilize their email-address domain.  The public nature of system
   authorizations and prevalence of compromised systems place the email-
   address domain owners at great risk when reputation is based upon the
   email-address.

   Collateral IP Blocking occurs when email systems are being shared and
   many email-address domains utilize common IP addresses.  When one of
   these email-address domains displays abusive conduct, an IP address
   based reputation service may list the IP address and consequently
   block all other email-address domains sharing the IP address.

   Filtering Errors may occur when erroneously relying on a phrase or
   name.  These errors cause the normal processing of the message to be
   altered.  Abusers often spoof many elements within their message



Otis                     Expires April 27, 2006                 [Page 4]

Internet-Draft             Email+DKIM threats               October 2005


   largely to avoid being filtered and this may increase the filtering
   program's sensitivity to otherwise innocent domains.  This type of
   erroneous sensitivity could be viewed as another type of unfair
   reputation.  The message may be "bounced", placed into the "Junk
   Folder", or deleted without the issuing of a Delivery Status
   Notification (DSN).  With the breakdown of email policy enforcement,
   email filtering has become a common alternative to manual, and also
   highly error-prone, deletion of unwanted email.

   The Junk Folder has become the catch-all repository of questionable
   email.  The increased use of multi-level acceptance criteria also
   increases the portion of email placed into the Junk Folder.  Ideally,
   acceptance criteria would provide a binary go/no-go result.  Stronger
   methods of authentication that singularly identify an accountable
   entity may assist in achieving such a goal.

   Deletion without Delivery Status Notification may occur when messages
   have been accepted but then, perhaps through the use of analytical
   heuristics, the message is subsequently identified as unwanted.  In
   the case of message deletion, the provider does not notify the sender
   since even the bounce-address is typically considered invalid.  This
   mode of operation represents a significant reduction in the integrity
   of email delivery.

   Denial of Service attacks may not be intentional, and could be the
   result of unsolicited bulk email.  An enterprise attempting to run
   their own email service may find their networks unable to deal with
   the vast amount of unwanted email.  Being able to reject unwanted
   email early in the exchange is critical when network resources are
   limited.  Signatures carried within the message will not allow for
   early rejection and thus not offer any DoS protection.  Simply
   dropping the connection may result in a storm of retries.  DoS
   protections based upon a domain, rather than an IP address, can be
   achieved by verifying the EHLO name, as it still permits early
   rejection while also avoiding IP address collateral blocking, see
   [I-D.crocker-csv-intro] and [I-D.crocker-csv-csa].  Domain-based
   assessments derived from the EHLO or a domain signature could utilize
   a name based reputation service, commonly referred to as a Right-
   Hand-Side Black-hole List (RHSBL).  Attacks from unlisted domains
   would be retained together with the IP addresses within a local list.

   Name Blocking may result from unfair reputation accrual.  Such
   accrual could occur when feedback is based upon email-address domains
   held accountable for having authorized a system sending abusive
   email.  The damage would be much worse than that caused by collateral
   IP address blocking.  In the case where the IP address is blocked,
   the email-address domain owner would be able to obtain services
   elsewhere as a remedy.  In the case of Name Blocking, there may not



Otis                     Expires April 27, 2006                 [Page 5]

Internet-Draft             Email+DKIM threats               October 2005


   be any remedy, which represents a serious problem.  This problem may
   become endemic with email-address authorization mechanisms.

   Message Spoofing uses many techniques to mislead either the recipient
   or a message filter.  Often the email-address domain appears random,
   or contains several randomly generated domain labels.  Such randomly
   generated labels may still be valid when a DNS wildcard resource
   record is used.  In the case where some level of authentication is
   asserted by the MUA, the domain used to achieve the authentication
   may rely upon the recipient seeing the "pretty-name" rather than the
   actual email-address.  For various reasons, methods that attempt to
   select a visible header to authorize an email-address domain, still
   may permit hidden headers.  The complexity of the selection
   algorithms may also confuse the average recipient, where any
   indication of the message having been authorized may be exploited.

   Operating System flaws will always exist.  Some operating systems
   offer better secured internal communication and program execution.
   Minimizing the exposure of system services to external access reduces
   the number of exploits possible.  Automated system monitoring is
   often needed to react to attack attempts.  Otherwise, the scale of
   deployment may require overwhelming manual monitoring.

   Stolen Passwords are a common problem.  There are many enterprises
   that use protocols that send passwords in the clear.  With the
   prevalence of wireless networks with weak protections, passwords sent
   in the clear should be considered the same as publishing them.  In
   addition, many of the programs that compromise systems also do
   keyboard and paste buffer logging sent covertly to the criminals
   stealing sensitive information.  Even access to a microphone near the
   keyboard may reveal passwords.  Once access is gained, even with a
   low privilege, many applications automatically assert the password
   when sending or receiving messages.

   Malware Payloads may be carried in items that receive special
   handling.  Examples could be pictures or scripts embedded within a
   message or referenced via URLs.  It could also be attachments added
   to the message, often where the name of the attachment has been
   obfuscated to convince the recipient they can safely invoke the
   operating system's default handling routines.

   Timing Analysis is an attack method that takes advantage of knowing
   the algorithm used for processing the signature.  When the private
   portion of the key is involved in the process, care must be taken to
   ensure the time performing the operation is not revealed.  This
   timing enables techniques that deduce the private key.  Even with
   random latency variations introduced by the network, this variation
   can be significantly reduced by finding the median from additional



Otis                     Expires April 27, 2006                 [Page 6]

Internet-Draft             Email+DKIM threats               October 2005


   measurements.

   Network Exploits are also becoming more common.  These attacks
   exploit various elements of the network infrastructure, often
   misdirecting network traffic.  This may involve falsified
   configuration information, falsified connection redirects or hijacks,
   poisoned domain name servers, and even corrupted routing elements.

4.  Security Requirements

   The use of private keys within the signing MTA server increases the
   level of security required to safely provide the DKIM signing
   services.  External access to non-essential services should be
   prevented using appropriate measures.  The Operating System should
   also be monitored for execution of unauthorized programs and access
   attempts to otherwise protected services.  When the server is running
   within a virtual machine, special care must be exercised with respect
   to timing attacks on private keys where even processing loads may
   reveal sensitive information.  The generation of a signature should
   be staged to mask the actual time expended as a means to protect the
   private key.  As email is often held in queues during processing,
   results may be held for an assured duration to conceal the time
   related to signing.

5.  Ranking of Bad Actors

   The problems confronted by DKIM can be generalized as the result of
   abusive acts by individuals taking advantage of the open nature of
   email.  For the purposes of this document, these abusive individuals
   will be referred to as Bad Actors.  Bad Actors have become more
   sophisticated, and their motivations have become increasingly
   criminal in nature.

   At the low end of severity, Bad Actors may represent unsophisticated
   individuals taking advantage of many commercially available tools.
   These tools may facilitate messages being sent in bulk, or may employ
   criminal strategies that avoid being identified and subsequently
   blocked.  Unsolicited messages sent in bulk often becomes the basis
   used for blocking future exchanges.  As newer methods of
   identification are attempted, often these bulk distribution tools
   represent a significant portion of applications adopting the newer
   protocol extensions.  The adoption of the extensions is often based
   upon another strategy where changing identities becomes a small cost
   for sustaining their nefarious enterprise.

   The next level of severity could be considered a surreptitious
   service provider that specializes in sending unsolicited email.
   These Bad Actors often employ infrastructure specifically designed to



Otis                     Expires April 27, 2006                 [Page 7]

Internet-Draft             Email+DKIM threats               October 2005


   obfuscate their identity.  Their infrastructure may include open-
   proxies, open-relays, and the use of multiple points of access which
   take advantage of asymmetric routing as a means to disguise source IP
   addresses.  Their infrastructure may also be established using
   thousands of compromised systems that may have been leased.

   Another technique used by Bad Actors is to send to low priority
   backup MTAs with the expectation messages will be bounced and the
   intended recipient is contained within the bounce-address.  This
   bounced message technique is another method used to obfuscate the
   source IP address of the message.  Although this IP address is
   typically found in the Received headers, the reputation of this
   Received header IP address is not always checked.  Bad Actors
   offering such services often provide email address lists to their
   clientele that may have been obtained from compromised systems,
   harvested, purchased, or discovered by means of dictionary attacks.

   The highest level of severity would be represented by criminals who
   intend to commit fraud and who are financially-motivated.  These Bad
   Actors are becoming organized and specialized with rapidly growing
   sophistication and threaten not only email, but the network itself.
   These Bad Actors should be expected to employ all of the above
   mechanisms, in addition to attacks on Internet infrastructure, such
   as DNS cache-poisoning attacks, and IP routing attacks via
   compromised network routing elements, and more.

6.  Capabilities of Bad Actors

6.1  General capabilities

   In general, Bad Actors described above should be expected to have
   access to the following:

   1.  An extensive corpus of messages from targeted domains

   2.  Knowledge of the practices used by targeted domains

   3.  Access to public keys and associated authorization records
       published by the targeted domains

   and the ability to do at least some of the following:

   1.  Generate substantial numbers of unsigned messages that might
       represent either an intentional or unintentional denial of
       service attack

   2.  Transmit messages using any envelope information desired




Otis                     Expires April 27, 2006                 [Page 8]

Internet-Draft             Email+DKIM threats               October 2005


   3.  Transmit messages using any message headers desired

   4.  Submit messages to MTAs from multiple locations within the
       Internet

   5.  Sign messages on behalf of domains from registrars that protect
       the domain owner's privacy or that have poor vetting practices

   6.  Generate substantial numbers of messages with invalid signatures
       which may be an attempt to create a denial of service attack by
       overwhelming DKIM verification

   7.  Resend messages which may have been previously signed by other
       domains


6.2  Advanced capabilities

   Certain classes of Bad Actors may have substantial financial
   motivation, and therefore could be expected to have more capabilities
   at their disposal.  These include:

   1.  Access to significant computing resources, perhaps through the
       conscription of many compromised systems.  This could allow Bad
       Actors to perform various types of brute-force attacks.

   2.  Manipulation of IP routing.  This could be used to submit
       messages from specific IP addresses or difficult-to-trace
       addresses, or to cause diversion of messages to a specific
       domain.

   3.  Influence over portions of DNS using mechanisms, such as cache
       poisoning.  This might be used to influence message routing, or
       to falsify DNS-based key or policy advertisements.

   4.  Ability to eavesdrop on some existing traffic, perhaps from a
       wireless network, a cable or DSL modem, or a compromised server
       or router.

   The last three of these mechanisms could permit Bad Actors to
   redirect traffic and masquerade as a desired destination.  Such
   redirection provides a means to deceive the recipient or those
   attempting to send messages, and may be used to obtain access-related
   information among other sensitive data.

7.  Bad Actor's Points of Access

   In the following discussion, the term "Administrative Unit", taken



Otis                     Expires April 27, 2006                 [Page 9]

Internet-Draft             Email+DKIM threats               October 2005


   from [I-D.crocker-email-arch], is used to refer to a portion of the
   email path under common administration.  Recipients usually establish
   mutual authentications with Administrative Units receiving and
   verifying their email using shared secrets and server certificates.
   Administrative Units that perform message signing also usually
   establish mutual authentication using shared secrets and server
   certificates.

7.1  Bad Actors with Access in the Administrative Unit

   Bad Actors can obtain access anywhere in the Internet.  Bad Actors
   that have privileged access within the Administrative Unit of the
   signing-domain or the recipient domain have capabilities beyond those
   elsewhere, as described in following sections.

7.1.1  Access in the Signing-Domain's Administrative Unit

   Bad Actors may gain access using compromised accounts or systems
   within the Administrative Unit corresponding to the signing-domain.
   Although submission of messages generally occurs prior to the
   application of a message signature, DKIM could still be effective at
   isolating compromised accounts, and should be effective at isolating
   compromised message signing systems when each system utilizes
   specific keys.  Defense in such cases would be improved by monitoring
   for account abuse and system integrity, in addition to limiting
   access to local system services.

   DKIM can be effective at improving email security within the
   Administrative Unit, especially in the case where an Administrative
   Unit has systems coupled by the Internet.  DKIM signatures can
   validate legitimate externally-originated messages considered within
   the Administrative Unit.

7.1.2  Access in the Recipient's Administrative Unit

   Bad Actors may gain access using compromised systems within the
   Administrative Unit of the message recipient.  Since messages
   typically undergo DKIM verification one time within a possible
   successions of systems carrying messages to their destination within
   the Administrative Unit, DKIM may not detect invalid messages from
   compromised systems that are subsequent to the DKIM verification.
   Bad Actors may also masquerade as a system within the succession as
   another means of introducing invalid messages.  Defense in such cases
   would be improved by verifying DKIM at the last system in the
   succession, using authentication mechanisms like SMTP AUTH, by
   monitoring system integrity, in addition to limiting access to local
   system services.




Otis                     Expires April 27, 2006                [Page 10]

Internet-Draft             Email+DKIM threats               October 2005


7.2  Bad Actors with External Access

   DKIM focuses primarily on Bad Actors that do not have privileged
   access within the Administrative Units of the signer or the
   recipient.  Outside these Administrative Units, the trust
   relationships required for authenticated message submission do not
   exist and do not scale adequately to be practical.

   Bad Actors with only external access will usually attempt to exploit
   the open nature of email.  Most Administrative Units will accept
   messages with a valid email address for a local domain, often after
   investigating the reputation of the source IP address.  Bad Actors
   may generate messages without signatures and rely upon techniques
   that obfuscate their source IP address.

   When signing-domains accrue reputations serving as a basis for
   acceptance, Bad Actors may take advantage of registrars that protect
   the privacy of domain owners, or that do not verify the domain
   owner's identity in a reliable manner.  Bad Actors may then use these
   domains without an initial negative reputation to generate messages
   with valid signatures.  Bad Actors may send messages containing a
   diversity of email addresses to avoid filtering techniques.  Often
   this ploy by Bad Actors is attempted while posing as mailing lists,
   greeting cards, or other agents which legitimately send or re-send
   messages on behalf of others.

8.  Representative Bad Acts

   One of the most common bad acts attempted is the delivery of messages
   which obfuscate their true source within the network or associated
   domain.  The purpose of obfuscation might be to gain acceptance or to
   defraud the recipient.  The severity of this problem ranges from
   messages merely being unwanted, to defrauding the recipient or
   compromising their system with a payload of malware.

8.1  Use of Arbitrary Identities

   Arbitrary Identifiers typify those bad acts aimed at obfuscation to
   gain acceptance of messages.  Such methods use a wide range of
   techniques as previously described.

   DKIM may be effective for abating the misuse of a domain which
   asserts all messages are signed by the domain.  The effectiveness of
   DKIM at preventing domain misuse would depend upon the prevalence of
   recipients validating DKIM signatures and obtaining domain-wide
   assertions.  For cases where a domain is not being misused, or when
   signed by a domain controlled by Bad Actors, the recipient would then
   be reliant upon reputation or accreditation services for protection.



Otis                     Expires April 27, 2006                [Page 11]

Internet-Draft             Email+DKIM threats               October 2005


8.2  Use of Specific Identities

   A second major class of bad acts involves the assertion of specific
   identities in email.

8.2.1  Exploitation of Social Relationships

   One reason for falsifying an associated domain is to encourage a
   recipient to act on a particular email message that appears to be
   from an acquaintance or previous correspondent trusted by the
   recipient.  This tactic has been used by email-propagated malware
   which emails to addresses in the compromised system's address book.
   In this case, the sender's email address and related signatures may
   not have been falsified, so DKIM would not be directly effective in
   preventing this act, but could facilitate the isolation of the
   compromised system when an opaque-identifier has been included, see
   [I-D.otis-mass-reputation].  Using opaque-identifiers would allow
   rapid correlations of malware sources by third-parties monitoring for
   this type of threat.

   It is also possible for address books to be harvested and used by an
   attacker to send messages from elsewhere.  DKIM may be effective at
   mitigating these acts when the recipient verifies the DKIM signature
   and when the sending domains assert all messages are signed by the
   domain.  It is also possible for the recipient to retain a binding of
   the opaque-identifier with the signing-domain associated with the
   sender's email-address, see [I-D.otis-mass-reputation].

8.2.2  Identity-Related Fraud

   Bad acts related to email-based fraud often involve the transmission
   of messages misusing visible associated domains as part of the fraud
   scheme.  The misuse of a specific associated domain sometimes
   contributes to the success of the fraud by convincing the recipient
   that the message is valid.

   To the extent the success of the fraud is enhanced by the misuse of a
   specific visible associated domain, Bad Actors may have significant
   motivation and resources to circumvent measures that target specific
   headers for unauthorized use.  There could be exigent cases where a
   domain-wide assertion becomes beneficial if it prohibits the
   appearance of the domain in any originating header unless also signed
   by the domain.  This would be accomplished with a domain-wide
   assertion made by the signing-domain, similar to the assertion that
   all messages are signed by the domain, see [I-D.otis-mass-
   reputation].





Otis                     Expires April 27, 2006                [Page 12]

Internet-Draft             Email+DKIM threats               October 2005


8.2.3  Reputation Attacks

   Another motivation for using a specific associated domain in a
   message is to harm the reputation of the domain.  For example, a
   commercial entity might wish to harm the reputation of a competitor,
   perhaps by sending a copy of their competitor's signed promotion as
   unsolicited bulk email.  A reputation service would categorize abuse
   primarily by the recipient, and not the message content.  A
   reputation service would not be able to differentiate between valid
   and invalid uses of a signed message.

   While reputation services must accrue behaviors based upon verified
   identifiers, there must also be a means to mitigate ongoing abuse.
   Without a means to abate ongoing abuse, the reputation service, which
   must be responsive to the needs of their subscribers, would have
   little choice but to list the domain being attacked and expect them
   to undergo a rehabilitation process.  Rehabilitation may involve a
   demonstration of having a means to respond to abuse.  See the
   following section on Message Replay Attacks.

9.  Attacks on Message Signing

   Bad Actors can be expected to exploit all of the limitations of
   message authentication systems.  They are also likely to be motivated
   to degrade the usefulness of message authentication systems in order
   to hinder their deployment, when the systems prove effective.  Some
   categories of bad acts are described below.  Additional postulated
   attacks are described in the Security Considerations section of
   [I-D.allman-dkim-base].

9.1  DoS Attack

   Checking either the authorizations associated with a message
   signature or the verification of the signature will not afford any
   Denial of Service protections.  There are only two choices available
   where DoS protections are possible.  The DoS protections could be
   based upon the remote IP address or upon the verification of the EHLO
   name.  In the case of the EHLO name, the problem associated
   collateral blocking is overcome, and a subsequent reputation check on
   the signing-domain may be skipped when the EHLO name is within the
   signing-domain.

   If the strength of the EHLO is not considered adequate, it may be
   possible to added a signature, the last digit of the year, and the
   week number prefixed to the EHLO name delineated with an '_'.  The
   hash of the EHLO would could include a string that represents all but
   the lower three bits of the remote IP address.  After all, the EHLO
   is currently permitted to fail verification.



Otis                     Expires April 27, 2006                [Page 13]

Internet-Draft             Email+DKIM threats               October 2005


9.2  Invalid Signatures

   Messages with invalid signatures would be handled as messages without
   signatures.  Such messages would be handled in the normal fashion
   where the reputation of the remote IP address would be assessed.
   Rejections based upon the remote IP address often creates a problem
   when the address is being shared.  When a Bad Actor sharing the IP
   address sends abusive email, other entities may be collaterally
   blocked when a negative reputation is then applied.  Such blocking
   may encourage those that find themselves blocked to adopt message
   signing as an alternative basis for reputation assessment.

9.2.1  Canonicalization and Message Normalization

   Until signatures are known to be reliably valid throughout the email
   infrastructure, invalid signatures should be treated in the same
   manner as a message without a signature.  As with any message, these
   messages may be introduced by Bad Actors.  The intent may be to have
   the message appear as though it was legitimately sent, but "broken"
   in transit.  This should not affect how the message is handled, and
   the reputation of the remote IP address should still be assessed.

   To minimize the number of broken messages and thus improve the
   reliability of the message signature, message normalization is
   required to ensure line-lengths are compliant prior to signing.  The
   current simple canonization is rather fragile, whereas the relaxed
   canonicalization allows for several exploits.  On the DKIM list, Earl
   Hood has recommended what appears to be a suitable replacement for
   the no-white-space method.  This technique removes white-spaces
   preceding end-of-lines and streaming white-space at the beginning and
   end of the message body.

9.3  Body Length Parameter

   The Body Length parameter available as an option within DKIM must be
   used with great caution.  Recipients that find the message length has
   increased, should discard the portion of the message that prevents
   signature validation when included as signed content.  The concept
   behind this option was to accommodate the appending of information by
   providers or some list servers.  As this option can be easily
   exploited, especially through a list server, mandating the deletion
   of added information would be the only solution that prevents this
   option from inviting an abusive message replay problem.

9.4  Multiple Signatures

   The DKIM draft offers little guidance with respect to multiple
   signatures.  Multiple signatures, rather than offering greater



Otis                     Expires April 27, 2006                [Page 14]

Internet-Draft             Email+DKIM threats               October 2005


   information, may obfuscate the role played by the signer.  There have
   been suggestions that signatures be sequenced by way of a count
   added, or by their header order within the message.  Unfortunately
   these techniques do not clarify which signature is significant with
   respect to the initial signer.  Any miscreant could either rearrange
   signature headers, add sequence numbers that appear as if signatures
   have been dropped, or add several "throw-away" signatures where
   reputation accrual may be diffused.  Multiple signatures also provide
   plausible deny ability when a reputation service attempts to locate
   the accountable domain.  An association with an email-address may not
   clarify the role of the signer, as the signing may be done by domains
   that are independent of any message headers.  There should also be a
   limit with respect to the number of signatures allowed within a
   message, as each signature represents added message overhead.

   It may be advisable to have signature headers that clarify the role
   of the signer.  The current signature header could be considered the
   "Originating" signer.  A list server may add their signature as a
   "Remailing" signer.  The receiving domain within the recipient's
   Administrative Unit may wish to add their "Verifying" signature as
   verification that various checks have been completed.  Any previous
   signatures of the same role would be deleted and perhaps logged
   within the Received headers.  The "Verifying" signature should not be
   considered valid beyond the Administrative Unit.

   For additional protection against message replay attacks, a practice
   could be established that restricts these three roles to a single
   signature per message.  A Remailing signature may encompass the
   Originating signature.  A Verifying signature may encompass both the
   Originating signature and the Remailing signature.  When adding a
   signature that encompass previous signatures, the signature
   information associated the 'b=' tag with could be overwritten with
   "remailing-checked", "verifying-checked" or "invalid."  The typical
   recipient could rely upon the Verifying signature provided by the
   Administrative Unit at the MUA, but would not have access to
   signatures that could be used to stage a message replay attack.

   In a situation where message replay attacks become problematic for
   messages sent to a specific domain, the signing domain may wish to
   preclude sending signed messages to these domains.  The receiving
   domain may wish to prevent the possibility that any of their users
   could be capable of such an attack by obfuscating Originating and
   Remailing signatures and adding the Verifying signature.

9.5  Use of "throw-away" domains

   Bad Actors may also introduce messages with valid signatures from
   domains they control, perhaps "throw-away" domains registered under



Otis                     Expires April 27, 2006                [Page 15]

Internet-Draft             Email+DKIM threats               October 2005


   false pretenses or using registrars that protect the privacy of the
   domain owner.  In other words, the existence of a message signature
   does not imply the conduct of a signing-domains is trustworthy.  The
   already common use of such domains require domain-based accreditation
   or reputation systems.  A reputation service may not be able to
   differentiate between a new and a throw-away domain.  A Bad Actor
   could also acquire a domain previously used for legitimate purposes.
   Reputation services may extend the weighing of behaviors to include
   that of the registrar.  Current name based reputation systems are
   known as Right-Hand-Side reputation services.  Even without the use
   of a name-based reputation service, local reputation, mostly in the
   form of white-lists, can be maintained by domains to improve the
   deliverability of email from domains where existing relationships
   have been established.

   Accreditation and reputation, or even local white-lists, require a
   verifiable identity upon which to base the accrual of behaviors and
   possible feedback reports.  Message signing provides an identity
   which is intended to be sufficiently reliable for this purpose.  A
   verifiable identity is necessary for accreditation and reputation
   systems to operate, provided there is a means established to either
   prevent or abate message replay attacks.

   Providers operating shared email services, mailing lists, and other
   legitimate agents may commonly sign messages with headers containing
   differing domains.  This common practice offers valuable freedoms for
   typical users.  This practice may allow a Bad Actor to sign messages
   containing divergent domains and to also appear legitimate.
   Nevertheless, the assessments of the signing-domain should remain the
   primary factor when deciding whether to accept the messages.  When
   the signing-domain is provided by a registrar that ensures domain
   owner privacy and has not obtained a recent reputation, little
   confidence in the signing-domain can be obtained.  As with message
   replay abatement, such mysterious signing-domains may be given a
   Transient Negative Completion reply.  Over time, the signing-domain
   will become known, or the administrators of the signing-domain may
   contact the relevant reputation and accreditation services.

9.6  Message Replay Attack

   Attacks based upon abusive retransmission of an otherwise valid
   message is referred to in this document as a "message replay attack".
   DKIM is able to provide an option that offers a means to promptly
   abate this type of replay, while also identifying all culpable
   sources, see [I-D.otis-mass-reputation].  This could be accomplished
   using an opaque-identifier revocation mechanism that is checked when
   the message appears to be coming from a different domain, or when the
   recipient has changed.  Abusive replay abatement is essential for the



Otis                     Expires April 27, 2006                [Page 16]

Internet-Draft             Email+DKIM threats               October 2005


   protection of the signing-domain's reputation.

   Message replay must be allowed to occur, even at high levels.
   Legitimate replays may result when a message is distributed through a
   list server, for example.  As valid message replay is performed at
   systems unrelated to the signing-domain, this replay process must be
   monitored for abuse, and strategies will be needed to deter efforts
   attempting to elude an abatement process.  There are methods that can
   be used to mitigate the precautions needed to deal with a potential
   replay problem.  The EHLO verification, essential for name based DoS
   protections, could also mitigate replay abatement.  A signed hash of
   a salted [RFC2821] RCPT TO header could be another replay abatement
   mitigation strategy.

   Part of this mitigation strategy may involve delaying the complete
   processing of messages identified as having potential replay risk.
   This delay is needed to allow abuse-monitoring the requisite time to
   react, which could be done within minutes.  This processing delay may
   occur at the transmitter, or the receiver, or at a combination of
   both.  Transient Negative Completion replies indicating the request
   was aborted with an error in processing should cause the message to
   be held at the transmitter, see [RFC2821].  The receiver may opt to
   queue a limited number of messages identified as having a replay
   risk, and once that limit has been reached, a Transient Negative
   Completion reply is issued.  This mechanism could be further
   mitigated by white-lists of trusted message resenders, such as list
   servers.

   When a message appears to be coming from a different domain and has
   an invalid hash of the [RFC2821] RCPT TO, as yet another option,
   messages may be held within a queue for a brief period to allow time
   for an opaque-identifier revocation to occur, see [I-D.otis-mass-
   reputation].  While opaque-identifiers may normally reflect the
   account used to gain access, serializing the opaque-identifier per a
   recipient of bulk email may also isolate the culpable recipient.

   Revocation of keys would not be a practical solution, as this will
   likely impact the delivery of many unrelated messages and will not
   likely be as prompt.  However, revocation of the opaque-identifier
   could also act as acknowledgement to a reputation or accreditation
   service that the signing-domain has responded to the reported abuse.
   Even the listing of revocations could become a service by delegating
   the revocation zone.  Lengthy delays in responding would provide
   little protection against such acts and likely precipitate a negative
   reputation as well as increased abuse.

   Bad Actors may obtain a reply from an individual within a signing-
   domain that carries a copy of their desired content.  The reply may



Otis                     Expires April 27, 2006                [Page 17]

Internet-Draft             Email+DKIM threats               October 2005


   then be used to distribute the desired content in bulk where no
   account has been obtained from the signing domain.  The person
   replying may be unaware of the risk.  When Bad Actors obtain an
   account from a provider that offers services to the public, and they
   send a small number of messages with desired content to addresses
   controlled by Bad Actors, the activity of the account will appear
   normal, but messages obtained can be used for abusive replay.

   Some other suggestions to abate message replay abuse burden the
   recipient.  These suggestions are usually based upon content
   filtering of messages that have been signed.  Once an unwanted
   message is discovered through filtering, signature finger-prints may
   then be used to identify any replicate message.  There is no
   assurance Bad Actors will not limit the number of replicate messages
   sent to a specific domain.  In such a case, filters would not be
   greatly advantaged by the signature.  There is also a suggestion that
   the signature finger-print itself accrues a reputation.  It is then
   expected the recipient would obtain the services of a signature
   finger-print reputation service.  The amount of centralized data
   exchanged to support a signature finger-print reputation scheme would
   represent a significant increased burden for the recipient that would
   be difficult to scale for either the service or the recipient.

   Other suggestions attempt to burden the sender.  Some suggestions
   have the signing-domain employ outbound content filtering.  Although
   outbound filtering could be a reasonable practice, the effectiveness
   of filtering is never 100%.  Bad Actors attempting to accumulate
   signed messages sent to themselves would be advantaged by outbound
   filters.  Messages that manage to evade outbound filters are also
   likely to evade inbound filters employed in other domains.  Another
   strategy suggests to enforce greater accountability for accounts
   whose messages are to be signed by DKIM.  Even with exorbitant fines
   exacted and with extensive vetting processes, there remains the
   problem created by the millions of compromised systems.  The stricter
   policies would increase the harm created by the compromised systems.

   Perhaps the greatest suggested burden placed upon the sender is to
   register the paths for all their valid email.  An onerous enough task
   is made more difficult with the path registration being predicated
   upon an email-address domain within a specific header selected in a
   non-compliant fashion, and not the signature itself.  See the section
   on Sender Signing Policy below.  This mingling of mail-address domain
   paths with a signing-domain path is actually attempting to solve two
   different problems simultaneously.  Neither message replay abuse, nor
   the misuse of an email-address is effectively prevented.  For many
   years from now, there will be recipients that use forwarded accounts,
   or users wishing to send messages to simple exploding list servers.
   These uses, as well as hundreds of others, will create a multitude of



Otis                     Expires April 27, 2006                [Page 18]

Internet-Draft             Email+DKIM threats               October 2005


   exceptions that must be accommodated.  Each method of accommodation
   represents a means for exploitation.

10.  Threats to Delivery

   DKIM relies upon more of the network infrastructure.  Normal email
   exchanges depend upon the recipient's DNS to locate MTAs that accept
   delivery for the recipient.  DKIM adds reliance upon the signing-
   domain's DNS for distributing public-keys.  With DKIM's Sender
   Signing Policy (SSP) [I-D.allman-dkim-ssp], as currently defined,
   delivery also depends upon allowances made for "third-party" signers
   when the [RFC2822] Sender, Resent-From, or Resent-Sender headers are
   used by the signing-domain.  Such increased dependency, especially
   with respect to policy assertions, represents additional avenues for
   attack and will negatively impact many commonly used email services.

   While DNSSEC [RFC4033][RFC4034][RFC4035] offers protection from
   various attacks on DNS, its greater overhead may increase DKIM DoS
   vulnerabilities.  There could be increased susceptibility at the
   recipient's DNS resolver, especially when wildcard public-keys or
   policies have been published.  Synthetic labels may allow an attack
   with increased requisite interaction and caching prior to verifying
   the signature.

   An SSP policy which excludes third-party signing, and is the only
   mode that can repudiate Bad Actors, may cause messages to become lost
   when remailed, or mailed.  For example, such a policy could prevent
   messages containing an email-address in the [RFC2822] From header
   from surviving mailing lists that sign messages, or when sent as
   signed news articles or invitations.  Such a consequence will
   discourage the vital adoption of the only policy that affords
   protection from Bad Actors.

11.  Urgent Response to Threats for Consumer Protections

11.1  Restricted Two-Party Communication

   While "phishing" attacks may be creating an exigent situation
   requiring an urgent response, parsing a complex policy record for
   qualifiers and lists of authorized "third-party" signers is not
   something that can be incorporated quickly.  A simpler record is
   required to allow immediate incorporation into MTAs as a means to
   offer the most expedient response to this type of threat.  This
   lookup should be offered as a service by the industry to combat this
   specific threat.

   A Two-Party listing service should simply return a record to indicate
   the queried domain prohibits the use of this domain within any email



Otis                     Expires April 27, 2006                [Page 19]

Internet-Draft             Email+DKIM threats               October 2005


   parameter or header unless also signed by this domain.  This would
   limit the use of the listed domain to two-party exchanges.
   Exceptions for messages containing the prohibited domain would be
   made when the only recipient is the prohibited domain.

11.2  Unrestricted Multiple-Party Communication

   When multiple-party email exchanges are to be protected, an assertion
   that all emails are exclusively signed by the domain should be based
   upon the header specified by [RFC2822] as having introduced the
   message into the email transport system.  Compliance with [RFC2822]
   email transport introduction allows common services to be retained
   without specific white-listing.  No information has been lost with
   respect to the signing domain and the email-address contained within
   the From header.  The receiving domain may assess such messages
   according to the relationships indicated.  However, acceptance should
   be primarily based upon the reputation of the signing-domain.  Where
   it is absolutely critical that the From header for a specific domain
   be protected, the Two-Party listing service should be used.  By
   removing any disruption in services resulting from a domain signing
   all their messages and making assertions on that basis would allow
   immediate repudiation of Bad Actors.  The current SSP policy
   necessitates a disruption in some services in order to repudiate
   messages from Bad Actors.

   Authorizing third-party signing defeats protection from Bad Actors.
   SSP's use of the From header to designate which domain establishes
   signing policy is disruptive and limits the scope of messages that
   can be afforded protection.  Messages being remailed where they are
   signed and reintroduced into the email transport system following
   [RFC2822] conventions, may be designated by SSP policies as being
   signed by "third-party" domains.  Rather an adhering to [RFC2822]
   conventions for establishing the header having introduced the message
   into the transport, the often visible From header was used as a basis
   instead, while risking the loss of a substantial number of otherwise
   valid messages and limiting the adoption of a protective policy.

11.3  Opportunistic Protection without Domain-wide Policy Assertions

   SSP designating the From, or when multiple-addresses exist, the
   Sender header for establishing signing policy is primarily to abate
   attempts at falsifying the author's email-address when third-party
   signing is not permitted.  Such falsification is often the case in
   "phishing" attacks.  The success of such an effort remains doubtful
   as many MUAs display just the "pretty-name."  Policy based upon the
   visible header also does not deal with threats associated with
   domains that have a similar appearance and with MUAs susceptible to
   character-set attacks.



Otis                     Expires April 27, 2006                [Page 20]

Internet-Draft             Email+DKIM threats               October 2005


   Attempts to base policy on the [RFC2822] From header significantly
   decreases protections afforded by DKIM by imposing dire consequences
   when indicating emails are signed exclusively by the domain.  While
   white-lists of authorized third-party signers may mitigate some
   unintended message loss, such an authorization strategy burdens the
   recipient, is expensive to maintain, and is not practical.

   DKIM can offer significant protection for multiple-party email
   commutations without the separate publication of signing policy.
   There is an alternative method that can be used to extend protection
   to recipient.  This strategy would take advantage of the situation
   that protection is often desired for prior correspondents.  With the
   messages being signed, the message itself offers a secure means to
   communicate what elements within the message can be relied upon to
   uniquely identify the message's author.

   For domains that assure those granted access are limited to specific
   email-addresses, any email-address from this domain can then be used
   to uniquely identify the author.  Domains that do not limit the
   email-address can alternatively offer an opaque-identifier within the
   signature to uniquely identify the account used to gain access.  The
   recipient could request that bindings of the requisite identifiers be
   saved.  With these bindings saved, the recipient can then be alerted
   when these identifiers have changed in subsequent messages.  In some
   cases, it would be possible to automatically retain the bindings at
   the MTA rather than just the MUA.

   By retaining binding for those specific email-addresses considered
   important to the recipient, greater analysis can occur to defeat
   "pretty-name", character-set, and domain look-alike attacks.  When an
   identifier appeared to have changed, the recipient should be shown
   the email-address and other identifiers using a consistent character-
   set and asked if the information should replace or be merged with
   current bindings, or perhaps be ignored, or flagged as a spoofing
   attempt.

12.  Sender Signing Policy

   DKIM Sender Signing Policy (SSP) [I-D.allman-dkim-ssp] attempts to
   introduce several constraints on an email-addresses found in one of
   two headers in conjunction with DKIM signatures.  These constraints
   may indicate that a signature is required either of some third-party
   domain, or of a first-party domain, or no signature is required at
   all.  The SSP also introduces a constraint placed upon the [RFC2822]
   From header that may be conditionally relegated to the Sender header
   when there are multiple email-addresses within the From header.
   Conditionally relegating the From to the Sender header may confuse
   recipients for two reasons.  The Sender header may be indicated by



Otis                     Expires April 27, 2006                [Page 21]

Internet-Draft             Email+DKIM threats               October 2005


   some MUAs as being the significant email addresses.  It also may not
   be obvious to the recipient when there are multiple email-addresses
   within the From header.

   It is also not clear how a third-party signature should be handled in
   the case where there are multiple signatures added to the message.
   Should a message that has a first-party signature and a policy that
   third-party signatures are prohibited, then cause a message to be
   rejected when a signature is added by a third-party?  What happens
   when the first-party signature has expired, but the third-party
   signature is still valid?

   Unless the domain-wide assertion that all emails are signed follows
   normal email conventions with respect to which header introduced the
   message into the email transport system, there will be messages that
   are not be protected by the SSP From/Sender assertion.  This failure
   to provide full protection in such cases was created by a desire to
   ensure the significant header related to policy is always visible.
   Nevertheless, to establish protections without disrupting email
   services, it would be beneficial to have an Introduction assertion.
   With an Introduction assertion, all messages that would normally be
   considered to have been introduced by a domain using [RFC2822]
   definitions would be assured protection.  This approach would suffer
   from far fewer policy conflicts by other domains and provide much
   greater delivery integrity.

   The SSP strategy also fails to consider there are other methods that
   may be used to qualify email and assumes the From/Sender headers are
   always significant.  An MUA that uses SPF Classic may indicate a
   message has been qualified based upon the [RFC2821] MAILFROM, but
   this parameter is not checked against the DKIM signing-domain, and
   yet the recipient may see a message as verified as a result of the
   MAILFROM.

   Once normal email conventions are allowed, a new assertion is
   required to protect those domains that have become "phishing"
   targets.  This new assertion would prohibit other domains the use
   parameters and headers that could contain an email-address considered
   to have introduced the message.  It would cover the MAILFROM, From,
   Sender, Reply-To, and corresponding Resent-* headers.  Such a domain-
   wide assertion would curtail exploits still possible with an SSP
   policy that erroneously assumes what the recipient considers
   significant.

   Using non-compliant conventions with respect to the significant
   header also disrupts normal email practices.  A domain making a
   domain-wide assertion that all messages are signed may be unable
   receive protection for some of their messages, and may find that some



Otis                     Expires April 27, 2006                [Page 22]

Internet-Draft             Email+DKIM threats               October 2005


   of their messages have been subsequently prohibited by other domains.
   Even appending a Sender or Resent-* header will not offer a solution,
   as the From header may retrain significance.

   Attempting to bind specific headers to a signing-domain has an
   unfortunate consequence that some mechanisms may unfairly extend
   accountability to the email-address.  Any authorization of third-
   party signers with respect to a specific header's email-address is
   highly problematic.  This authorization is likely to be assumed as
   having authenticated the email-address causing unfair reputation
   accrual.  The SSP mechanism may also require an extensive number of
   lookups.  This mechanism will require lookups walking up the label
   tree, to qualify the local-part of an email address, and, with a
   pending proposal, to also authorize specific third-party signers.

13.  IANA Considerations

   This document defines no items requiring IANA assignment.

14.  Security Considerations

   This document describes the security threat environment in which
   DomainKeys Identified Mail (DKIM) is expected to provide some
   benefit.

15.  References

15.1  Normative References

   [RFC2821]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
              April 2001.

   [RFC2822]  Resnick, P., "Internet Message Format", RFC 2822,
              April 2001.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, March 2005.

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for the DNS Security Extensions",
              RFC 4034, March 2005.

   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", RFC 4035, March 2005.





Otis                     Expires April 27, 2006                [Page 23]

Internet-Draft             Email+DKIM threats               October 2005


15.2  Informative References

   [I-D.allman-dkim-base]
              Allman, E., "DomainKeys Identified Mail (DKIM)",
              draft-allman-dkim-base-01 (work in progress),
              October 2005.

   [I-D.allman-dkim-ssp]
              Allman, E., "DKIM Sender Signing Policy",
              draft-allman-dkim-ssp-01 (work in progress), October 2005.

   [I-D.crocker-csv-csa]
              Crocker, D., "Client SMTP Authorization (CSA)",
              draft-crocker-csv-csa-00 (work in progress), October 2005.

   [I-D.crocker-csv-intro]
              Crocker, D., Otis, D., and J. Leslie, "Certified Server
              Validation (CSV)", October 2005.

   [I-D.crocker-email-arch]
              Crocker, D., "Internet Mail Architecture",
              draft-crocker-email-arch-04 (work in progress),
              March 2005.

   [I-D.otis-mass-reputation]
              Otis, D., "MASS impacts upon reputation",
              draft-otis-mass-reputation-03 (work in progress),
              September 2005.


Author's Address

   Douglas Otis
   Trend Micro, NSSG
   1737 North First Street, Suite 680
   San Jose, CA  95112
   USA

   Phone: +1.408.453.6277
   Email: doug_otis@trendmicro.com











Otis                     Expires April 27, 2006                [Page 24]

Internet-Draft             Email+DKIM threats               October 2005


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2005).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Otis                     Expires April 27, 2006                [Page 25]