On Fri 18/Aug/2023 12:21:31 +0200 Emanuel Schorsch wrote:
For example, we have seen very large DKIM Replay attacks of youtube.com
Terms of Service emails. There is no malicious content in these emails,
but spammers still send very large volumes (perhaps using them to
generate affinity with victims or warm up their sending
infrastructure). >>
That points to a bug in the I-D. Section 3.1 says:
A spammer will find a mailbox provider with a high reputation and that
signs their message with DKIM. The spammer sends a message with spam
content from there to a mailbox the spammer controls.
Youtube.com Terms of Service emails don't seem to have been sent by the
spammer.
I agree, for completeness we should update that section to include both
types of DKIM replay. I can work on sending a tweak to that section.
Please do! Without it, Section 5.3, "Strip DKIM signatures on mailbox
delivery" makes little sense.
But, to be clear this type of replay is definitely much less common than
the spammer generated content. I just wanted to provide that it does also
happen.
If there is a large difference, then the idea of segmenting authentication
domains might actually belong to countering replay attacks, for spammers
looking for high reputation signatures. Some time ago I proposed
d=bullshit.example.com, but after thinking a bit more, the I-D could set up a
register for that.
For a strawman:
5.6. Use segmented signature domains
Domains that host mailboxes for widely different categories of users,
typically free-mail domains, can differentiate the signature they affix
on messages by using subdomains. IANA maintains a register of subdomains
used for this purpose (See Section 7.)
* Messages written by spammers who get categorized as such will be
signed by subdomains with low reputation, which lowers the incentive
to obtain the very signature.
* Careful users, who don't spam and don't have their accounts often
compromised, can use domains whose reputation won't be ruined by
replay attacks.
And
7. IANA Consideration
This document proposes the use of subdomain to categorize email message
categories for which IANA is to create and maintain a new registry
entitled "DKIM Semantic Subdomain Names".
New registrations are published in accordance with the "First Come First
Served" guidelines as described in [RFC8126]. They are to contain the
following information:
1. Subdomain name to be used in the category. The name MUST exist as a
direct subdomain for the domain referred by the proponent, and MUST
contain a non-empty _domainkey subdomain at the time or registration.
2. Short description of the category, and criteria for assigning messages
to this category, possibly containing a link to extended description.
3. Trust that recipients are invited to assign to messages signed by such
subdomain. This MUST be one of the key words "none", "low", "medium"
and "high".
4. Date of the registration.
Note: Domains are invited to re-use existing names rather than registering
new ones, if the intent matches the description. These names are not
visible by users, so there is no reason to use IDNs. Names and
descriptions MUST be in English.
That's all folks
Ale
--
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
