Brian Candler
2005-03-26 10:41:11 UTC
Just one other thought for now.
In IM2000, when you receive an incoming message notification in your MUA, it
shows a tuple of <user ID, message store ID, notification source address>:
e.g. at
http://homepages.tesco.net./~J.deBoynePollard/Proposals/IM2000/CaseStudies/lucy-reading.html
we have an incoming notification that says
from toby on example.net. says 192.0.2.2
^^^^ ^^^^^^^^^^^^ ^^^^^^^^^
The tuple <toby, example.net> is what people are likely to associate as an
"E-mail address", even though the new architecture specifically divorces
sender message store accounts from E-mail addresses for receiving mail.
There is also the likelihood that operators of VISP services will include
domains within message store user IDs. e.g.
from ***@smallbusiness.com on smallbusiness.com says 192.0.2.2
^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^
(where 'smallbusiness.com' has SRV records pointing to example.net's message
store); or else
from ***@smallbusiness.com on example.net says 192.0.2.2
^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^
Putting the mailbox ID in that form is attractive because it gives a
separate user ID namespace for each virtual domain. I think it's almost
certain that this practice would occur, but then I think the typical
end-user is unlikely to be able to interpret this information in a way to
avoid phishing attacks, especially given that receipt notifications can
identify the message store by IP address:port and not by domain. For
example:
from ***@paypal.com on spammerdomain.com says 64.202.167.129
or worse,
from ***@paypal.com on [64.202.167.129:1234] says 64.202.167.129
I wonder here if we are actually doing a *disservice* to most users by
presenting the information in this way. That information is hardly any
better than what we have now, which is a combination of
Return-Path:<***@paypal.com> and Received: from 64.202.167.129
One alternative I thought of was to present instead a *hash* of the user ID
and message store ID, and call it a "sender fingerprint":
from unknown [f8:1e:26:80:96:c9:54:e4:60:8f:32:bd:78:ee:5d:53] says 192.0.2.2
(that's an MD5 hash of "***@smallbusiness.com\0example.net")
Once you've received a particular message and believe it's genuine, e.g. by
successfully sending a reply, you could tell your MUA to remember the
fingerprint and associate it with an identity (e.g. the address you replied
to) and display that instead in future. These fingerprints could be included
on business cards, letterheads etc.
Such fingerprints might also be useful for blacklist lookups, where existing
RBL mechanisms don't easily support a lookup of these tuples, and might help
some privacy concerns when looking them up.
The other alternative I thought of was to publish, in the DNS, bindings
between E-mail addresses and sender accounts. For example, if you receive a
mail purporting to be From: ***@pobox.com, you would do a lookup on
b.candler._at.pobox.com
and find a list of <message store, account ID> tuples that I use to send
mail. If you find a list but the originating message store account isn't
among them, then you know the message is forged.
Unfortunately, you won't know this until you've downloaded at least the
headers of the message from the sender's message store, which gives
information to spammers about your account[1]
Also, either mechanism needs to go in at day one, if im2000 is going to
benefit from it. Otherwise, a completely separate way of validating message
senders, such as DomainKeys, is going to be essential.
Regards,
Brian.
[1] In which case, it might be better to include the purported sender in the
notification message; or else to make message store IDs officially look like
E-mail addresses and always be bound to <message store, account ID> via the
DNS.
At the end of the day, the user is not interested in "which message store
did this message originate from", but
- did this originate from someone I already know (if so who?); and/or
- if I send a reply to this message, will it go to the same person?
In IM2000, when you receive an incoming message notification in your MUA, it
shows a tuple of <user ID, message store ID, notification source address>:
e.g. at
http://homepages.tesco.net./~J.deBoynePollard/Proposals/IM2000/CaseStudies/lucy-reading.html
we have an incoming notification that says
from toby on example.net. says 192.0.2.2
^^^^ ^^^^^^^^^^^^ ^^^^^^^^^
The tuple <toby, example.net> is what people are likely to associate as an
"E-mail address", even though the new architecture specifically divorces
sender message store accounts from E-mail addresses for receiving mail.
There is also the likelihood that operators of VISP services will include
domains within message store user IDs. e.g.
from ***@smallbusiness.com on smallbusiness.com says 192.0.2.2
^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^
(where 'smallbusiness.com' has SRV records pointing to example.net's message
store); or else
from ***@smallbusiness.com on example.net says 192.0.2.2
^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^
Putting the mailbox ID in that form is attractive because it gives a
separate user ID namespace for each virtual domain. I think it's almost
certain that this practice would occur, but then I think the typical
end-user is unlikely to be able to interpret this information in a way to
avoid phishing attacks, especially given that receipt notifications can
identify the message store by IP address:port and not by domain. For
example:
from ***@paypal.com on spammerdomain.com says 64.202.167.129
or worse,
from ***@paypal.com on [64.202.167.129:1234] says 64.202.167.129
I wonder here if we are actually doing a *disservice* to most users by
presenting the information in this way. That information is hardly any
better than what we have now, which is a combination of
Return-Path:<***@paypal.com> and Received: from 64.202.167.129
One alternative I thought of was to present instead a *hash* of the user ID
and message store ID, and call it a "sender fingerprint":
from unknown [f8:1e:26:80:96:c9:54:e4:60:8f:32:bd:78:ee:5d:53] says 192.0.2.2
(that's an MD5 hash of "***@smallbusiness.com\0example.net")
Once you've received a particular message and believe it's genuine, e.g. by
successfully sending a reply, you could tell your MUA to remember the
fingerprint and associate it with an identity (e.g. the address you replied
to) and display that instead in future. These fingerprints could be included
on business cards, letterheads etc.
Such fingerprints might also be useful for blacklist lookups, where existing
RBL mechanisms don't easily support a lookup of these tuples, and might help
some privacy concerns when looking them up.
The other alternative I thought of was to publish, in the DNS, bindings
between E-mail addresses and sender accounts. For example, if you receive a
mail purporting to be From: ***@pobox.com, you would do a lookup on
b.candler._at.pobox.com
and find a list of <message store, account ID> tuples that I use to send
mail. If you find a list but the originating message store account isn't
among them, then you know the message is forged.
Unfortunately, you won't know this until you've downloaded at least the
headers of the message from the sender's message store, which gives
information to spammers about your account[1]
Also, either mechanism needs to go in at day one, if im2000 is going to
benefit from it. Otherwise, a completely separate way of validating message
senders, such as DomainKeys, is going to be essential.
Regards,
Brian.
[1] In which case, it might be better to include the purported sender in the
notification message; or else to make message store IDs officially look like
E-mail addresses and always be bound to <message store, account ID> via the
DNS.
At the end of the day, the user is not interested in "which message store
did this message originate from", but
- did this originate from someone I already know (if so who?); and/or
- if I send a reply to this message, will it go to the same person?