> For this to work, you somehow need to persuade the real system to send
> you a signed message from the address you're planning to abuse. That
> seems like an implausible amount of work.
I agree it sounds like a lot of work. But I don't see why you would
bother attacking the resigning system at all, if you're not trying to
exploit acquaintanceship relations. Just send apparently from a
sibling domain.
That's just what they do, or they send from random addresses, expecting
(usually correctly) that the recipient will only see the From: comment and
not the bogus address. A couple of the people on my church's mailing list
got their AOL or Yahoo address book stolen, and the list software catches
spam like that all the time, since if course it looks at the address.
> If you can get the real system to send you a message to re-sign,
> why not just have it send the spam?
Because you can't get the real system to send spam, but you can get a
user with a mailbox on that system to get it to send you a message to
resign.
Right, and now you can do one teensy spam run until the weak signature
expires, or the re-sending system's reputation drops to the point where
nobody accepts its mail, or adaptive systems like Google's recognize the
person's address as a reliable spam sign. If you can't use a spamming
system to send a million messages a day and expect a fair number of them
to be delivered, it's not interesting. Like I keep saying, while you can
imagine hypothetical spam scenarios, it's hard to think of one that would
be effective enough to be worth the effort, particularly compared to just
using a fake address with the person's name as the From comment.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
