[conspire] Case study in modern forgery of SMTP headers

Rick Moen rick at linuxmafia.com
Fri Nov 6 18:35:00 PST 2015


----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Fri, 6 Nov 2015 18:33:58 -0800
From: Rick Moen <rick at linuxmafia.com>
To: Michael Siladi <msiladi at ix.netcom.com>
Cc: Geo Mealer <geo at snarksoft.com>
Subject: Re: [Basfa] Fw: new message
Organization: If you lived here, you'd be $HOME already.

Michael --

This will probably be a too-much-information exercise.  Apologies in
advance.

Short version:  Netcom _does_ include in all authentic outgound Netcom 
mail a variant form of DKIM information, usable to authenticate the 
sender.  (It does not include SPF data.)


Long version:  To recap, starting 1997 believable SMTP forgery has been
a big problem.  First proposed solution, SPF, arrived 2003.  Competing 
solution DKIM emerged from Yahoo in 2004, where at first it was called
DomainKeys.  DomainKeys was obsoleted by DKIM (DomainKeys Identified Mail) 
in 2007, but is still in use some places.  

Netcom publishes DomainKeys data in your (and other Netcom users') mail
headers.


Here is the relevant header from one of your mails:

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=dk20050327; d=ix.netcom.com;
        b=oLbGKWWw3ykemWcqQifzUoMnhSTQGr+dFk+wHLhLhqNS99UmamopQ9GZQSO1Xv5;
h=Received:Subject:To:References:From:Message-ID:Date:User-Agent:MIME-Version:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;

I looked up the now-abandoned standards document for DomainKeys.  It's
here:  http://www.ietf.org/rfc/rfc4870.txt
It says (among much else) that you construct the DNS entity to query by 
prepending the 's=' string in the SMTP header (above) to subdomain
_domainkey followed by the domain name.  So, in this case, you ask about
dk20050327._domainkey.netcom.com .  Like this:

$ dig -t txt dk20050327._domainkey.netcom.com +short
"g=\; k=rsa\; t=y\; p=MEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxALigv1kAvfPxsUFY5vobiVUevCAK7qzzBDTzl+iYq0XPFxIkMQFhQuwh6GNpVPRROwIDAQAB"
$

The 'p=' data is a RSA-type cryptographic public key usable for
authenticating the SMTP sender.  This would be done (if it is done) by
the receiving mail software.


I neglected to provide this information before because I had not paid
much attention to DKIM and its obsolete DomainKeys predecessor.  But 
I should have.

----- End forwarded message -----




More information about the conspire mailing list