-------------------------- Message-Body-Authenticator -------------------------- Revisions: 0.01 2004-03-26 evertonsm@yahoo.com.br: Initial draft 0.02 2004-05-20 evertonsm@yahoo.com.br: DNS note, space estimative, message body munging Summary: - MBA fights email address forgery and - makes it easier to identify spams, worms, and viruses - when domain owners publish message body authenticators in DNS, so that - SMTP receivers can distinguish legitimate mail from spam - by verifying a hashing of the message body - against the authenticator published by the envelope sender domain Notes: - It does not break forwarding. - The record expiration date is used for database space management. - If a signed message is captured, it could be re-sent even with new headers. It seems benign. MBA can only tell whether a message body was sent by a domain. - The message digest is required to prevent replay of a captured authenticator for other messages. - The message might be rejected after SMTP DATA. - DNS is not required to publish ID=>HASH mappings, it's used here just as example. A suitable database/directory service should be selected. - Message body munging is supported, such as in: + Attachment blocking (some mail virus scanners, etc) Sender verification is performed before the virus scanning. If the mail is relayed afterwards, the receiving server can trust the scanner server. + Mailing lists attaching extra lines (adware, etc): The original sender domain is replaced by mailing list domain as return path, thus allowing a "re-signing" of the message. + Corporations adding legal disclaimers: The corporate mail server can add the disclaimer before "signing" the message for the domain. Space Requirements Estimative: days=10 # time to keep records in database message_rate=100 # outbound messages per second record_size=100 # in bytes echo $(($days * 86400 * $message_rate * $record_size)) 8.640.000.000 bytes EXAMPLE for Message-Body-Authenticator ====================================== BEGIN bobsite.tld is publishing: _mba.bobsite.tld. IN TXT "policy=mba-header-required" _mba.bobsite.tld. IN PTR mba.bobsite.hosting.tld. ('_mba' stands for 'message body authenticator') Bob's MUA issues the message: -- original RFC2822 message -- begin -- Subject: Party From: "Bob" To: "Alice" Hello Alice, Are you coming next week? Cheers, Bob -- original RFC2822 message -- end -- bobsite.tld MTA stores in a publicly-readable database (DNS): key: message-id = 0123456789 value: md5 = 415f3c454c31fb7dbcf4d861a66adbe5 expire: valid-until = 2004-04-30 14:50:22 GMT bobsite.tld publishes in the DNS: 0123456789.mba.bobsite.hosting.tld. IN TXT "md5=415f3c454c31fb7dbcf4d861a66adbe5" bobsite.tld MTA sends to alicehome.tld: -- sending authenticated message -- begin -- EHLO mail.bobsite.tld MAIL FROM: RCPT TO: DATA Subject: Party From: "Bob" To: "Alice" Message-Body-Authenticator: 0123456789 Hello Alice, Are you coming next week? Cheers, Bob . QUIT -- sending authenticated message -- end -- After MAIL FROM, alicehome.tld MTA extracts bobsite.tld from . Then alicehome.tld MTA finds: _mba.bobsite.tld. IN TXT "policy=mba-header-required" _mba.bobsite.tld. IN PTR mba.bobsite.hosting.tld. If alicehome.tld MTA wants to adhere to the policy published, the message would be rejected unless the header "Message-Body-Authenticator:" is available. alicehome.tld MTA finds: 0123456789.mba.bobsite.hosting.tld. IN TXT "md5=415f3c454c31fb7dbcf4d861a66adbe5" After DATA, alicehome.tld MTA finds the message MD5 matches the published MD5, then accepts the message. On 2004-04-30 14:50:22 GMT, bobsite.tld removes from DNS: 0123456789.mba.bobsite.hosting.tld. IN TXT "md5=415f3c454c31fb7dbcf4d861a66adbe5" END