[170807] in North American Network Operators' Group
Re: hack #2 for Yahoo DMARC breakage
daemon@ATHENA.MIT.EDU (John R. Levine)
Wed Apr 9 18:37:50 2014
Date: 9 Apr 2014 16:37:18 -0600
From: "John R. Levine" <johnl@iecc.com>
To: "Ted Hatfield" <ted@io-tx.com>
In-Reply-To: <alpine.BSF.2.00.1404091627570.60827@io-tx.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--3825401791-1765549843-1397083040=:2293
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> 2: introduce an "Original Authentication Results" header to indicate
> you have performed the authentication and you are validating it
This was someone's hack that doesn't work. The idea is that you make an
RFC5451 Authentication-Results header for the incoming message, change the
name to original-authentication-results to circumvent some MTAs that strip
incoming A-R headers, and send it as part of the signed outgoing message.
The reason it doesn't work is that spammers can add fake o-a-r headers as
easily as lists can add real ones, so you need to make a whitelist of well
behaved senders who don't send faked mail so you know whether to believe
them. But once you have the whitelist of well behaved senders, you can
skip the o-a-r stuff and just deliver the mail.
I gather somewhere there is a private non-standard bilateral
implementation of this, but it still seems like an awfully complicated way
to do your spam filtering.
Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly
--3825401791-1765549843-1397083040=:2293
Content-Type: APPLICATION/pkcs7-signature; name=smime.p7s
Content-Transfer-Encoding: BASE64
Content-Description: S/MIME Cryptographic Signature
Content-Disposition: attachment; filename=smime.p7s
MIIJBgYJKoZIhvcNAQcCoIII9zCCCPMCAQExCzAJBgUrDgMCGgUAMAsGCSqG
SIb3DQEHAaCCBjcwggYzMIIFG6ADAgECAgMHCsYwDQYJKoZIhvcNAQEFBQAw
gYwxCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYD
VQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYD
VQQDEy9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENs
aWVudCBDQTAeFw0xMzA3MTQwMzI4MjRaFw0xNDA3MTUwMTMzNDlaMFMxGTAX
BgNVBA0TEFBXY1lTWGN0Z0pVMTlaWTkxFzAVBgNVBAMMDmpvaG5sQGllY2Mu
Y29tMR0wGwYJKoZIhvcNAQkBFg5qb2hubEBpZWNjLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALu27esh7DFfXV+FqyWcPE3tUV+mvwqW
C3VQk/LONISr7XbTjUIwiRpfia5MqcVY93a2MMAnEVqA7Tkt7pQ6AjVi5w6K
fq5VlDN93bntAGjlfS7un5qiNPUKq6oCJ4BMikLbhMcX3Te/rob//SlOZ/jW
DLd6yatuoAA4EYZ8yYClD50/XzKfPrDhQ3l8rOkkqJiY+il0xnkI3OcBKEys
5QaNgAuhY2svn/7uVhC/yRj79iieLQ2pYLUlcqdwbkkHxVlP6sCg/pHfv76A
nCFylpwpkcND0z9Fzv/4vdcVaopj4F/xa171sE3DHzxOiKYfPX+1XJMjideZ
HsowUy1Du8kCAwEAAaOCAtQwggLQMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSw
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQU065z
ZQKhcJYDiNkhDu6ej3TxRwgwHwYDVR0jBBgwFoAUU3Ltkpzg2ssBXHx+ljVO
8tS4UYIwGQYDVR0RBBIwEIEOam9obmxAaWVjYy5jb20wggFMBgNVHSAEggFD
MIIBPzCCATsGCysGAQQBgbU3AQIDMIIBKjAuBggrBgEFBQcCARYiaHR0cDov
L3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjCB9wYIKwYBBQUHAgIwgeow
JxYgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwAwIBARqBvlRo
aXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBhY2NvcmRpbmcgdG8gdGhlIENs
YXNzIDEgVmFsaWRhdGlvbiByZXF1aXJlbWVudHMgb2YgdGhlIFN0YXJ0Q29t
IENBIHBvbGljeSwgcmVsaWFuY2Ugb25seSBmb3IgdGhlIGludGVuZGVkIHB1
cnBvc2UgaW4gY29tcGxpYW5jZSBvZiB0aGUgcmVseWluZyBwYXJ0eSBvYmxp
Z2F0aW9ucy4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNz
bC5jb20vY3J0dTEtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEF
BQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczEvY2xp
ZW50L2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3NsLmNvbS9j
ZXJ0cy9zdWIuY2xhc3MxLmNsaWVudC5jYS5jcnQwIwYDVR0SBBwwGoYYaHR0
cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUAA4IBAQAhGl57
1CTIxVCGhIyCPd/NouWlaMB4BATsPRCJZSyvx+wT/mRFdz3SeGjMocefbm+B
KyGEZD/VNJEDNrxqtwpKa1vhmTJBkhbiUjM+sCMuRBuCxRZkdEOWygY5gSQr
FC5oqx2ZxvzQhY7xjge0G36dEEp2yerEzGn87UqHia8r5ba+3j5GifKbqcEP
kGDvEe6pwnkIY5NT/Ukf0WuQ8rHuD5hXcKa5GoAep0+STcyZHjt0YEzFobRp
gPAIHaru48qCY8GwhWK/PKrBjjoPo8v4WfZuxJEKkRkPs305bolWP0AET7MU
6iTK0Aljt2b9FksEkYvWxTdI3xAu24PjF4oeMYIClzCCApMCAQEwgZQwgYwx
CzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQL
EyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMTgwNgYDVQQD
Ey9TdGFydENvbSBDbGFzcyAxIFByaW1hcnkgSW50ZXJtZWRpYXRlIENsaWVu
dCBDQQIDBwrGMAkGBSsOAwIaBQCggdgwGAYJKoZIhvcNAQkDMQsGCSqGSIb3
DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwNDA5MjIzNzE5WjAjBgkqhkiG9w0B
CQQxFgQUXmp5e46BZ4TRUwb6IYyECtzFtjEweQYJKoZIhvcNAQkPMWwwajAL
BglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG
9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcw
DQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEggEAflP+FKSeYYpd7VYu
4nozsUAPiXBCA0E+OFF8Z3jyYu1rhG/qJM0cBs1+zbmXKL9+HPHaF9YEvxzK
e+veWXuA3F/+vbzq3G8N8QMG058Na2EMh8bn/7rk7eRfK2vCbT6ibap9wTnC
PqUSkWL42uo0NPyRe9ClOhCFfjwseftvCena1R13ZkTCDHoA8OONsSXu72bB
S7vRwDblVXKbql5gsPD3WqbwSCZzHHjnZxE7LXnClsBo4+T6z29BaMrr2IIx
rmTip8uD4bFgunGVfoOdCkBTgwe7XpTIKxbdTYvLstZtSO6n7dVDZfjUhjYd
2K/S3ODOOXMlmfokKhLVryYgdg==
--3825401791-1765549843-1397083040=:2293--
