On Sat, Aug 5, 2023 at 4:51 AM Laura Atkins <la...@wordtothewise.com> wrote:
> > > On 5 Aug 2023, at 02:43, Jesse Thompson <z...@fastmail.com> wrote: > > On Thu, Aug 3, 2023, at 11:08 AM, Laura Atkins wrote: > > I agree with this and have been working to recruit folks to come here. > I’ll also be in Brooklyn and pitching the need for participation in the > IETF working group from folks in the email space who are seeing issues with > this. > > > I'll be there and interesting in participating. As an ESP/infrastructure > provider I can say that we are "having" the issue, but can't say that we > "seeing" the issue since visibility is only available to anti-spammers, and > domain owners (who receive DMARC reports). > > We don't have visibility either as DKIM replay from an authentication perspective looks like legitimate traffic. Of course the content looks spammy which has a negative impact, and it's hard to differentiate DKIM replay from day to day variations. > A big driver of the work is actually Google. As I understand it, they are > having issues because the replay attackers are successfully stealing > reputation of otherwise good senders in order to bypass some spam > filtering. The replay attackers aren’t sending what we commonly think of as > spam through the signers - as the message is sent to one recipient (not > bulk) and it is opt-in (that recipient wants and has asked for the mail). > Agreed. For a while DKIM replay was our number one source on increased escalations, and that was heading towards an unsustainable place. Fortunately DKIM replay and escalations calmed down quite a bit, perhaps due to the ecosystem implementing various mitigation techniques. For example we've had good success with the duplicate message counting idea reported at M3AAWG (and mentioned in the problem statement document), as well as many implementing other techniques. My worry is that these techniques don't tackle the issue at the protocol level and several have thresholds that spammers can exploit. I suspect they will be back once their current large-scale campaign with SPF runs its course. I recall various assertions that the reason why DMARC has been successful > is primarily because of the Reporting benefits (and I certainly agree with > this assertion from my background as an enterprise domain owner), while the > Conformance benefits seem to be more elusive (as evidenced by the > inconsistent adoption by receivers and the debates around interoperability > issues with indirect mail streams). Of course, the Authentication benefits > are provided by DKIM/SPF, and yet DKIM signers have no standard mechanism > to receive reports of how their signatures are being misused. > > If people think that Reporting is the reason why DMARC has been > successful, then could we conclude that the lack of Reporting to DKIM > signers is a problem worth addressing? > > > That’s an interesting thought. I’m thinking the next step down - will it > help minimize the problem for senders? ie, would reporting be fast enough > that they could revoke a key? What might a report look like? > This is an interesting idea. I'd imagine the sender could look for elevated unexpected spikes in DKIM authenticated traffic. It is analogous to what some of the senders (ESP and MBP) reported they were doing using the Gmail Postmaster tools to detect suspected DKIM replay. Postmaster has traffic graphs with DKIM authentication where they would look for unexpected spikes. Moreover they were correlated with a decrease in reputation which is unfortunately something that DMARC reports won't have. In any case DMARC reports should provide senders some visibility into looking for DKIM authenticated traffic spikes. -Wei
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
