Folks,
There appears to be no perfect way to distinguish a Replay attack from a
legitimate re-posting by an Alias or even a Mailing list (that preserves
the original DKIM signature.)
The only 'signal' that is valid, also is ambiguous. The signal is that
the rfc5321.Mail command has an address that is not in any of the
rfc5322 address fields. The ambiguity, of course, is that that's also
true for Alias.
I'm wondering about designing some assistance by the author's platform
and the Aliasing platform, to flag what they've done.
Imagine adding a header field like "Separate-Envelope:", possibly
listing the domain name of the site putting the flag there, and having
them add a DKIM signature to cover it and the rest of the message.
This could also be done by a spammer doing Replay, of course. But the
point is that this added mechanism now creates a noise-free basis for
evaluating this class of traffic associated with that signed domain.
It's not that the receiving filter could not detect the disparity
between envelope and content addresses. It's that the receiver is
getting a flag from whomever did it.
If, for example, the domain name is of the originating service, then
it's clearly not Replay.
If it is from an Aliasing site, the receiver can quickly build up a
reputation for that site, to aid in determining replay or not.
Thoughts?
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
