Internet and e-mail policy and practice
including Notes on Internet E-mail


2014
Months
Jul

Click the comments link on any story to see comments or add your own.


Subscribe to this blog


RSS feed


Home :: Email

16 Jul 2014

The mail forwarding threat model Email

The recent DMARC kerfluffle has brought new attention to mail forwarders that send mail on behalf of other people. We've been giving a lot of thought to ways to tell nice forwarders from nasty ones, so that mail systems can deliver mail from the nice ones and filter the nasty ones. It occurs to me that there are several scenarios for the way that forwarders work, so I've collected them in a little chart.

We assume that forwarders can sign the mail they send, so there's no problem telling that mail from the forwarder really came from them. We also crudely divide agents into Good ones that send mail that the recipients generally want, and Bad ones that send mail that the recipients don't want.

Each row of the table starts with three letters. They mean:

  • G or B, the forwarder is Good or Bad
  • A or U, the original message was Authenticated or Unauthenticated before it was forwarded. Note that Unauthenticated doesn't mean "forged", since there are many ways a user can send mail that is legitimate yet isn't authenticated.
  • G or B, the original sender was Good or Bad

TypeExample
GAGSubscriber sending mail through a mailing list
GUGNewspaper forward-an-article, or ESP mailing for a customer who can't provide a signing key.
GABCompromised subscriber sending mail through a mailing list, or spammer sends to list that doesn't limit mail to subscribers
GUBSpammer who's stolen a user's address book sending mail to a list to which the victim subscribes
BAGFormerly legit list goes rogue (never seen it)
BUGSpammer sending modified copies of mail scraped from an archive
BABCompromised user sending through malicious list (unlikely)
BUBRegular old spam with fake return address.


  posted at: 19:43 :: permanent link to this entry :: 0 comments
Stable link is https://jl.ly/Email/fwdthreat.html

Topics


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

CAUCE
ICO Fines Manchester Firms £150K for Flood of Unlawful Spam Texts
21 days ago

A keen grasp of the obvious
Italian Apple Cake
785 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

My Mastodon feed



© 2005-2024 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.