So... shifting the conversation away from "how to insert multi-line values" to 
"how did this happen"?

We have a web app that uses a wildcard redirect. Some subdomains may be legit 
i.e.. saturday.domain.com, this would go to a specific site for the 
saturday.domain.com site, but the redirect also accepts gibberish.domain.com, 
which would then redirect to the domain.com domain.

What we have noticed in our DMARC portal (we use a third party to manage our 
SPF\DKIM and DMARC settings), is that soon after a redirect occurs for 
gibberish.domain.com, a bad actor will try to send using that subdomain, which 
fails since gibberish.domain.com inherits domain.com's policy of REJECT.

To narrow the focus of this internal investigation, our specific questions are:

Looking for known methods and hypotheticals to aid in our investigation

1 - How are these "sub-domains", which don't actually exist, picked up by bad 
actors?

2 - Since we are only able to add DKIM keys thru the DMARC management portal or 
via DNS, how were they "added" to our portal via RUF data? 

I am able to actually see a DKIM selector for the bad actor's invalid DKIM key 
in our DMARC portal as if it was added by a member of my team.
Understanding that anyone can use an invalid DKIM key in an email, why don't we 
see this behavior in our other environments?
In other words, if they can be added via RUF data, why don't we see this across 
all of our domains?




Thanks,
Rich


-----Original Message-----
From: Wietse Venema via Postfix-users <postfix-users@postfix.org> 
Sent: Saturday, March 29, 2025 4:43 PM
To: Postfix users <postfix-users@postfix.org>
Cc: 'Wietse Venema' <wie...@porcupine.org>; Postfix users 
<postfix-users@postfix.org>
Subject: [pfx] Re: insert multi-line values into header

CAUTION: This email was sent from an external sender. Do not click links or 
open attachments unless you recognize the sender and know the content is safe.

Gomes, Rich via Postfix-users:
> - This was reported wth a RUF report (DKIM signature check failed, new 
> selector). This suggests that they don't have a matching public key in 
> the DNS.
>
> Correct.
> We have never received a new selector notification that we did not add 
> ourselves.
> We are trying to reproduce what likely caused it.

Anyone can forge a DKIM-Signature: header with good d= tag and bad s= tag. This 
does not require header injection, header splitting, or other trickery.

        Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an 
email to postfix-users-le...@postfix.org
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to