On Tue, Apr 5, 2022 at 6:35 AM Cyril - ImprovMX via mailop < mailop@mailop.org> wrote:
> > After a discussion with OVH about this potential issue, I discovered that > the problem was worst than that. By comparing all the emails from > Spamcop.net reports, I discovered that they were from a few emails, but > then, they had new headers added on top. This included a new "To", > "Subject" and "Date" header. An email sent 4 days ago was sent again, with > an updated date. The initial "Subject" was basic things like "hello" and > the new Subject added at the top was more spammy (the typical horny stuff). > > Clearly, someone used the reputation of ImprovMX.com to deliver emails by > forging them before delivery. > > What you're describing sounds exactly like a DKIM replay attack. Socketlabs, among others, have some ideas on how to mitigate such things. Perhaps you might find those ideas useful - https://www.socketlabs.com/blog/dkim-replay-attacks-preventive-measures-to-protect-email-deliverability/ -- *Todd Herr * | Technical Director, Standards and Ecosystem *e:* todd.h...@valimail.com *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
