Perhaps I should re-phrase:
It was presented in our DMARC portal as "a new selector was identified"
-----Original Message-----
From: Wietse Venema via Postfix-users <postfix-users@postfix.org>
Sent: Saturday, March 29, 2025 3:34 PM
To: Postfix users <postfix-users@postfix.org>
Subject: [pfx] Re: insert multi-line values into header
CAUTION: This email was sent from an external sender. Do not click links or
open attachments unless you recognize the sender and know the content is safe.
Gomes, Rich:
> At the moment, we are not sure how they are doing this.
> It is showing up in RUF data and thus presented in our DMARC portal as "a new
> key was identified"
> We are trying to vet out how that could happen so we can close
> whatever gap is allowing it
RUF reports DMARC failures, presumably because both SPF and DKIM failed. Anyone
can send email with a failing DKIM-Signature: header that identifies some
non-existent public key in DNS (using the DKIM signature tags 'd=' and 's=').
Sending email that fails SPF is even easier, no header needed.
That does not require tricks such header injection.
> > We are trying to mimic an issue we are having with bad actors
> > inserting fraudulent DKIM keys into a header in an attempt to spoof
> > one of our domains.
There are no keys in DKIM-Signature: headers, only substrings of the DNS path
(the signature tags 'd=' and 's=').
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an
email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
