|Main||Open Source Silly Season||In Other News||Security Roundup||Tips of the Trade|
Does Unix MTA mainstay sendmail carry enough weight to make DomainKeys a viable standard for catching domain-spoofing spammers? If WebDAV is part of your production environment, cadaver provides a way to get at those shares with command line comfort.
Yahoo! put a new arrow in the quivers of anti-spam admins everywhere this week when it submitted a draft of its proposed DomainKeys specification to the Internet Engineering Task Force (IETF).
DomainKeys offers a way to force spammers who forge domain names to expose themselves as rogues by forcing their mail servers to prove they are whom they claim to be. It does this by signing each piece of mail that leaves the server with a unique cryptographic key. DomainKeys will be largely transparent to end users; it simply pays attention to the “From” field in a mail message so slimy phishers can’t scam end users out of their credit card numbers.
Unix MTA mainstay sendmail is also in its corner. While this granddaddy of MTAs loses a bit of ground each year, it is still considered a venerable market leader. Another egg in DomainKeys’ basket is a project is already under way that will allow any MTA or MUA developer a chance to support DomainKeys.
There is a competitor of sorts to Yahoo!’s initiative: the Sender Policy Framework (SPF). SPF has the advantage of fitting neatly into the existing DNS framework and claims several thousand conformant hosts already. And, to add to its appeal, it isn’t under the shadow of potential royalties or other patent-related snags. Further, processing SPF-authenticated mail is less computationally taxing. DomainKeys requires each message be signed, then authenticated on the receiving end. Some people maintain that a “processor tax” might be a good thing, if it makes mass mailing less computationally cheap. That, however, begs the question of why we should be penalizing legitimate bulk mailers (e.g., mailing lists, opt-in mailings, and newsletters) with a processor tax when they haven’t done anything wrong.
The disadvantage of SPF is that it breaks forwarding unless another layer is added to it. Even then, admins in the field report problems with forwarding through multiple relays. Additionally, although concerns about patents and royalties are well-founded (and the cause of occasional and bloody campaigns in standards bodies), Yahoo! has agreed to play nice by granting a royalty-free, nonexclusive license to anyone who wants to implement DomainKeys.
So what do we do?
Right now, it doesn’t matter because Yahoo!’s draft submittal is a first step in what will hopefully be a contentious and vigorous competition between these two approaches. There’s no reason they can’t be used in tandem as a way to erect a no-man’s land against which even the most craftily concocted phishing scam or herbal viagra come-on will founder. In the meantime, we’ll go back to our Bayesian filters, user education, and other anti-spam tricks, glad at least that a protocol crafted in more innocent times is finally getting the attention it needs to deal with a much more disagreeable ‘net.
We can always tell it’s a slow week when something SCO’s done earns a thoughtful and appreciative nod (the company released a product … that you can use … to do things), and we get more than a paragraph or two into stuff from the advocacy press.
So what was silly this week?
Mainly a press release from Australia titled “Open Source Users Unaffected by Sasser Worm — The Internet Keeps Going Despite Flawed Proprietary Software.”
“The ‘Sasser’ worm,” crows the release, “is … one in a long line that exploits well-documented vulnerabilities or design flaws within Windows and its apps. Other operating systems such as Linux, Unix, and Mac OS X do not experience this constant series of security problems.”
Why don’t they?
Well, the press release doesn’t go into that, except to note that some of them are open source (except when, as with OS X, they aren’t, exactly).
It is to laugh. Rather, it would be to laugh if it were not to cry. Part of our job at the Roundup is to look out for security updates in the Unix world, Linux included. Suffice to say, we see more than our share of bugs tagged “remote exploit,” “privilege escalation,” and “root vulnerability.” You don’t have to count many to realize that reductionism to “open source good, Windows bad” is a hopelessly blinkered way to look at the world. Linux advocates would do well to save the energy spent crowing for tending their systems.
We’re well aware of our tendency to go on about the whole “don’t get cocky just because Windows gets all the malware attention,” but that’s only because pride has a nasty habit of going before the fall. Much of the credibility open source developers have earned during the past few years could be easily undone by the wrong exploit at the wrong time.