On Sun, Aug 20, 2023, at 6:13 AM, Alessandro Vesely wrote:
> On Fri 18/Aug/2023 12:21:31 +0200 Emanuel Schorsch wrote:
> >>
> >>> For example, we have seen very large DKIM Replay attacks of youtube.com
> >>> Terms of Service emails. There is no malicious content in these emails,
> >>> but spammers still send very large volumes (perhaps using them to
> >>> generate affinity with victims or warm up their sending
> >>> infrastructure). >>
> >> That points to a bug in the I-D. Section 3.1 says:
> >>
> >> A spammer will find a mailbox provider with a high reputation and that
> >> signs their message with DKIM. The spammer sends a message with spam
> >> content from there to a mailbox the spammer controls.
> >>
> >> Youtube.com Terms of Service emails don't seem to have been sent by the
> >> spammer.
> >
> > I agree, for completeness we should update that section to include both
> > types of DKIM replay. I can work on sending a tweak to that section.
>
>
> Please do! Without it, Section 5.3, "Strip DKIM signatures on mailbox
> delivery" makes little sense.
>
>
> > But, to be clear this type of replay is definitely much less common than
> > the spammer generated content. I just wanted to provide that it does also
> > happen.
>
> If there is a large difference, then the idea of segmenting authentication
> domains might actually belong to countering replay attacks, for spammers
> looking for high reputation signatures. Some time ago I proposed
> d=bullshit.example.com, but after thinking a bit more, the I-D could set up a
> register for that.
>
> For a strawman:
>
> 5.6. Use segmented signature domains
>
> Domains that host mailboxes for widely different categories of users,
> typically free-mail domains, can differentiate the signature they affix
> on messages by using subdomains. IANA maintains a register of
> subdomains
> used for this purpose (See Section 7.)
>
> * Messages written by spammers who get categorized as such will be
> signed by subdomains with low reputation, which lowers the incentive
> to obtain the very signature.
>
> * Careful users, who don't spam and don't have their accounts often
> compromised, can use domains whose reputation won't be ruined by
> replay attacks.
>
> And
>
> 7. IANA Consideration
>
> This document proposes the use of subdomain to categorize email message
> categories for which IANA is to create and maintain a new registry
> entitled "DKIM Semantic Subdomain Names".
>
> New registrations are published in accordance with the "First Come First
> Served" guidelines as described in [RFC8126]. They are to contain the
> following information:
>
> 1. Subdomain name to be used in the category. The name MUST exist as a
> direct subdomain for the domain referred by the proponent, and MUST
> contain a non-empty _domainkey subdomain at the time or
> registration.
>
> 2. Short description of the category, and criteria for assigning
> messages
> to this category, possibly containing a link to extended
> description.
>
> 3. Trust that recipients are invited to assign to messages signed by
> such
> subdomain. This MUST be one of the key words "none", "low",
> "medium"
> and "high".
>
> 4. Date of the registration.
>
> Note: Domains are invited to re-use existing names rather than
> registering
> new ones, if the intent matches the description. These names are not
> visible by users, so there is no reason to use IDNs. Names and
> descriptions MUST be in English.
I just want to say +1 to all of this. I believe that adding more d= signatures
to convey context is the solution to allow ESPs/intermediaries to express
enough information to allow receivers to make a mail handling decision in a way
that minimizes collateral damage.
Jesse
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
