-------------------------- Message-Body-Authenticator -------------------------- Revisions: 0.01 2004-03-26 evertonsm@yahoo.com.br: Initial draft 0.02 2004-05-20 evertonsm@yahoo.com.br: DNS note, space estimative, message body munging 0.03 2004-05-26 evertonsm@yahoo.com.br: Rewording Summary: - MBA fights email address forgery and - makes it easier to identify spams, worms, and viruses - when domain owners publish message body authenticators in DNS, so that - SMTP receivers can distinguish legitimate mail from spam - by verifying a hashing of the message body - against the authenticator published by the envelope sender domain Notes: - It does not break forwarding. - The record expiration date is used for database space management. - If a signed message is captured, it could be re-sent even with new headers. It seems benign. MBA can only tell whether a message body was sent by a domain. - The message digest is required to prevent replay of a captured authenticator for other messages. - The message might be rejected after SMTP DATA. - DNS is not required to publish ID=>HASH mappings, it's used here just as example. A suitable database/directory service should be selected. - Message body munging is supported + Attachment blocking (some mail virus scanners, etc): Sender verification can be performed before the virus scanning of incoming messages. If "cleaned" mail is relayed afterwards, the receiving server can skip MBA check for messages from trusted mail scanners. + Mailing lists attaching extra lines (adware, etc): The original sender domain is replaced by mailing list domain as return path, thus the mailing server is able to "re-sign" of the message. + Corporations adding legal disclaimers: The corporate mail server can add the disclaimer before "signing" the message for the envelope sender domain. Space Requirements Estimative: days=10 # time to keep records in database message_rate=100 # outbound messages per second record_size=100 # in bytes echo $(($days * 86400 * $message_rate * $record_size)) 8.640.000.000 bytes EXAMPLE for Message-Body-Authenticator ====================================== BEGIN bobsite.tld is publishing: _mba.bobsite.tld. IN TXT "policy=mba-header-required" _mba.bobsite.tld. IN PTR mba.bobsite.hosting.tld. ('_mba' stands for 'message body authenticator') Bob's MUA issues the message: -- original RFC2822 message -- begin -- Subject: Party From: "Bob" To: "Alice" Hello Alice, Are you coming next week? Cheers, Bob -- original RFC2822 message -- end -- bobsite.tld MTA stores in a publicly-readable database (DNS): key: message-id = 0123456789 value: md5 = 415f3c454c31fb7dbcf4d861a66adbe5 expire: valid-until = 2004-04-30 14:50:22 GMT bobsite.tld publishes in the DNS: 0123456789.mba.bobsite.hosting.tld. IN TXT "md5=415f3c454c31fb7dbcf4d861a66adbe5" bobsite.tld MTA sends to alicehome.tld: -- sending authenticated message -- begin -- EHLO mail.bobsite.tld MAIL FROM: RCPT TO: DATA Subject: Party From: "Bob" To: "Alice" Message-Body-Authenticator: 0123456789 Hello Alice, Are you coming next week? Cheers, Bob . QUIT -- sending authenticated message -- end -- After MAIL FROM, alicehome.tld MTA extracts bobsite.tld from . Then alicehome.tld MTA finds: _mba.bobsite.tld. IN TXT "policy=mba-header-required" _mba.bobsite.tld. IN PTR mba.bobsite.hosting.tld. If alicehome.tld MTA wants to adhere to the policy published, the message would be rejected unless the header "Message-Body-Authenticator:" is available. alicehome.tld MTA finds: 0123456789.mba.bobsite.hosting.tld. IN TXT "md5=415f3c454c31fb7dbcf4d861a66adbe5" After DATA, alicehome.tld MTA finds the message MD5 matches the published MD5, then accepts the message. On 2004-04-30 14:50:22 GMT, bobsite.tld removes from DNS: 0123456789.mba.bobsite.hosting.tld. IN TXT "md5=415f3c454c31fb7dbcf4d861a66adbe5" END