-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <f55977e5-909e-4273-889a-cb1adb5c4...@wordtothewise.com>, Laura Atkins <la...@wordtothewise.com> writes
> Now, it was, so it was fine. But it does suggest that anyone can > create a Quickbooks account to impersonate my company. Because > Quickbooks sends from their own domain, it’s all DMARC passing > mail. There is a significant amount of fraud currently being attempted by signing up for new accounts at small business financial service companies, creating invoices and sending them to an email system which will replay these to large numbers of destinations. The replaying systems have most recently been at a domain seller and a large mailbox provider. These invoices do not generally impersonate legitimate small businesses, but purport to be for the supply of anti- virus, invoices for smartphones, or are just direct phishing attacks against the usual suspects. Some of the attacks do not use links to malicious websites directly but inveigle victims into phoning a support line where real humans impersonate financial companies and at that point redirect people to a website where their credentials are phished. The email replay is necessary because of the fairly low limits that the service companies place on the generation of invoices by new customers. This is not just "DMARC passing email" but in every way it is genuine mail. It can however be detected because it is a replay (and I spend some time at $DAYJOB$ identifying and dealing with each day's attacks). You will note that the outline DKIM2 spec says that an m= setting for the very first DKIM2 signature can specify that an email must not be modified or "exploded". Hence standards compliant systems would prevent the attacks we currently see, and replay detection systems would get a leg up in detecting malicious replays (and, by being able to identify which entities have misbehaved, impact their reputation accordingly). The DKIM2 design we have put forward has a number of these features that we have put in to make it easier to tackle the problems that are unnecessarily difficult to handle today. It should also be noted that this is a good example of wickedness that can only be identified and mitigated when operating "at scale". If you only ever receive one of these emails then today (and sadly also in the future) you will not be able to detect the problem within the email system itself. However, the criminals cannot make very much money unless _they_ operate "at scale" and hence improving detection "at scale" is a win for everybody. This is one of the reasons why the draft charter mentions scale and should, in my view, continue to do so. - -- richard Richard Clayton They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. Benjamin Franklin -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZznUOt2nQQHFxEViEQI4QgCgqX/+ohlBGiEo/M9OlYn3W5KHHjUAn2ul SAEnsrbJ7DjxfX+27Y7TjWQ8 =43vX -----END PGP SIGNATURE----- _______________________________________________ Ietf-dkim mailing list -- ietf-dkim@ietf.org To unsubscribe send an email to ietf-dkim-le...@ietf.org
