On 2/10/23 1:48 PM, Wei Chuang wrote:
I think the draft should flesh this out a bit more. I mean, are they just doing a bcc without a To: address? Are there other mechanisms? Is that suspicious or is it a legit behavior? I don't think I've seen a message without a To: address (or at least a legit one).On Fri, Feb 10, 2023 at 1:29 PM Michael Thomas <m...@mtcc.com> wrote: On 2/10/23 10:23 AM, Wei Chuang wrote:Hi all, I've posted an updated version of the draft-chuang-dkim-replay-problem-01 <https://datatracker.ietf.org/doc/draft-chuang-dkim-replay-problem/01/> draft. It cleans up a lot from the -00 rough draft state so hopefully it's more clear. It builds a case that spammers are exploiting DKIM through replay, identifies conflicting scenarios, and outlines a solution space.| taking advantage of the flexibility in DKIM to | selectively sign headers, the spammer may intentionally leave out | certain headers such as To:, and Subject: that can be added in later | without damaging the existing DKIM signature. I think this needs to be explained. It isn't obvious to me how they would manage to do that. The header fields signed are under control of the signer, not the original author. How do the attackers coax the provider's signer into not signing certain fields?By leaving them out. Many DKIM signers, having observed this vulnerability, have started oversigning headers to prevent that.
(again, this will be important to inform possible BCP things, and in the case of To: and Subject: to possibly making them required to be signed in a protocol change. certainly that might be an interesting discussion)
Mike
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
