On Fri, Feb 17, 2023 at 11:11 AM Michael Thomas <m...@mtcc.com> wrote:
> > I've said in multiple threads that the current problem both in the charter > and the problem draft are far too vague for us to address. Here are some > from me at least: > > 1. Who are the victims? Just bulk senders? Are the bulk senders > signing using their domain? > > We've seen a variety of victims: bulk senders, trusted brands, EDUs etc. > > 1. If there are different types of senders who suffer from replay > attack reputation, are the attacks using the same or different techniques > to create the signed spam? > > Mostly the same, but spammers adjust their techniques to make things work. > > 1. Do senders filter outbound traffic for spam? > 2. Do spammers who get a piece of email signed by a sender also send > mail to target domains to see if it passes their filters? > 3. What are the characteristics of the spammer wrt to the sending > domain? Are they brand new accounts or established ones? > 4. Do sending domains keep track of users who are sending spam in the > eyes of their filters? Do they correlate that with other characteristics of > their users such as freshness? > 5. Do senders pay any attention to the To domain? > 6. Do receivers pay attention to the To domain(s)? > 7. Does the To domain spammers use remain more or less static, or do > they mutate at a high rate? > > We (Gmail) saw spammers frequently duplicate the To headers so they could personalize them per recipient. RFC 5322 (duplicate header rejection) and oversigning is effective against this. > > 1. Can we quantify the reputation bump (or hit) on the receiver from > these spam bursts? (I'm sure the spammers know the answer to this) > > The reputation drop is quite significant for smaller senders (so spammers rotate through them). For larger senders we also will eventually see large drops. > > 1. Do spammers with a replay server sign and/or set up SPF records for > their spam sending domain? > > They mostly set up SPF records for the replay servers. They aggressively shard between many different new SPFs. > > 1. Do spammers provide an unsubscribe link which is typical on normal > email blasts? If not, is that unusual and/or against the rules of the bulk > provider? If so can the sender keep track of that? > 2. Can senders verify that opt-out links actually work especially for > new accounts? > 3. Can filters be adjusted at a more fine grain in the face of > different conditions? That is, accept a higher false positive rate in > certain conditions? > 4. Are there receivers out there that treat an x= expired message > different than a missing or broken signature? It's ambiguous in the DKIM > text about that, I think. > 5. Can receivers take advantage of the signalling of a small x= value > as also a clue that the sender is concerned about replays? > 6. Do receivers use things like unsigned Subject or To or other > tell-tale fields as signs of a bulk replay? > 7. Do receivers collect and use reputation information on mailing > lists and other indirect flows that resign their messages? > > The challenge with this is the long tail of mailing lists and indirect flows, not all of which indicate their indirectness in an obvious way. > > 1. What percent of incoming email to a mailbox is through resenders > and of that what percent resign? > 2. Do receivers keep tabs on which users are using things like mailing > lists to differentiate users who expect to get indirect mail vs those who > don't? > > I know that some of these have been answered to some degree or another, > but wanted to put them in one thread so they can be added to the problem > draft easier as needed. > > Also: to the degree that some of these questions can't be answered or only > very vaguely is its own answer as to what this wg can and can't do. Some > might be just nice to have, but some might be more foundational. > > Feel free to add to my list because I'm sure it's far from comprehensive. > > Mike > _______________________________________________ > Ietf-dkim mailing list > Ietf-dkim@ietf.org > https://www.ietf.org/mailman/listinfo/ietf-dkim >
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
