> On 29 Aug 2023, at 19:07, Dave Crocker <d...@dcrocker.net> wrote: > > Not that this is all that new a question, but I think it might be worthy of > more (and maybe different focus)... > > When a message is used in a DKIM Replay Attack: > > It originates from a domain name having good reputation > It passes quality checks from that sending domain > It goes to a collaborating receiving site, which presumably means that site > is not conducting quality assessments > It is re-posted, preserving the original DKIM signature, but now becomes an > attack > Two thoughts: > > If the substance of the message should fail a quality assessment, why does it > pass at the outbound (sending) site? Spam isn’t really about substance, though, it’s about being unwanted and volume. A lot of things outbound folks use to identify spam require volume - like ‘is this audience similar to the audience we’ve seen report high levels of spam in the past’ or ‘does this send to addresses we know receive a lot of spam’ or ‘is this account sending to a lot of bad addresses’. There are other checks, like ‘does this email contain a link pointing to a hostname on any of these DNSBLs’ - but that’s trivially solved by just pulling out a link that isn’t on a DNSBL. The professional spam gangs, who are likely behind the attacks, have a deep bench of domains that they pull in and out of circulation on a regular basis.
This also doesn’t address the problem that Google mentioned where they saw Youtube alerts / welcome messages replayed, possibly as a way to create a good IP reputation. > If the problem is reasonable content, but sent to many unintended (or, > rather, undeclared) recipients, then the only characteristic of note is the > fact of multiple transmissions. So I'd guess it is only a real-time network > of receivers, working in /very/ close coordination, to detect and deal with > the attack. (it's not difficult to imagine scattered retransmissions, over > time, to hide the coordination. Sort of a spread spectrum transmission > style...) My understanding is that one of the primary ways to ID a replay is using Google postmaster tools and seeing increases in their graphs without a corresponding increase in volume from their systems. laura -- The Delivery Expert Laura Atkins Word to the Wise la...@wordtothewise.com Delivery hints and commentary: http://wordtothewise.com/blog
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
