Internet and e-mail policy and practice
including Notes on Internet E-mail


2014
Months
Jul

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email


16 Jul 2014

The mail forwarding threat model Email

The recent DMARC kerfluffle has brought new attention to mail forwarders that send mail on behalf of other people. We've been giving a lot of thought to ways to tell nice forwarders from nasty ones, so that mail systems can deliver mail from the nice ones and filter the nasty ones. It occurs to me that there are several scenarios for the way that forwarders work, so I've collected them in a little chart.

We assume that forwarders can sign the mail they send, so there's no problem telling that mail from the forwarder really came from them. We also crudely divide agents into Good ones that send mail that the recipients generally want, and Bad ones that send mail that the recipients don't want.

Each row of the table starts with three letters. They mean:

  • G or B, the forwarder is Good or Bad
  • A or U, the original message was Authenticated or Unauthenticated before it was forwarded. Note that Unauthenticated doesn't mean "forged", since there are many ways a user can send mail that is legitimate yet isn't authenticated.
  • G or B, the original sender was Good or Bad

TypeExample
GAGSubscriber sending mail through a mailing list
GUGNewspaper forward-an-article, or ESP mailing for a customer who can't provide a signing key.
GABCompromised subscriber sending mail through a mailing list, or spammer sends to list that doesn't limit mail to subscribers
GUBSpammer who's stolen a user's address book sending mail to a list to which the victim subscribes
BAGFormerly legit list goes rogue (never seen it)
BUGSpammer sending modified copies of mail scraped from an archive
BABCompromised user sending through malicious list (unlikely)
BUBRegular old spam with fake return address.


posted at: 19:43 :: permanent link to this entry :: 0 comments
posted at: 19:43 :: permanent link to this entry :: 0 comments

comments...        (Jump to the end to add your own comment)

Add your comment...

Note: all comments require an email address to send a confirmation to verify that it was posted by a person and not a spambot. The comment won't be visible until you click the link in the confirmation. Unless you check the box below, which almost nobody does, your email won't be displayed, and I won't use it for other purposes.

 
Name:
Email: you@wherever (required, for confirmation)
Title: (optional)
Comments:
Show my Email address
Save my Name and Email for next time

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
It turns out you don’t need a license to hunt for spam.
4 days ago

A keen grasp of the obvious
Italian Apple Cake
562 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse



© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.