On 2023-01-23 at 09:53 +0100, Alessandro Vesely wrote: > On Sun 22/Jan/2023 23:23:06 +0100 Ángel wrote: > > I should note that the user-is-in-bcc approach could be helpful wrt > > dkim-replay attacks, since the attacker-controlled account they > > used to > > receive the dkim-signed spam mail would be present in the bcc > > header > > (and thus stand out). It would be less conspicuous to include > > themselves in To: or Cc: > > > > (This would obviously require the DKIM header to include bcc, which > > for > > instance gmail is not doing) > > Exactly. But can we trust intermediate MTAs to not remove Bcc:?
Well, in that case they would be as if not signed. Which might not matter too much if the entity that "helpfully" removed it did so after DKIM validation. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
