> On 27 Nov 2022, at 18:48, Dave Crocker <d...@dcrocker.net> wrote: > > On 11/26/2022 5:38 PM, Jim Fenton wrote: >> Not Safe: It’s not safe because it breaks Barry’s use case above, and others >> have pointed out MUA usage of the signature. > > DKIM signature survival after delivery is not a goal for DKIM. If you feel > otherwise, you are seeking an expansion of DKIM's purpose.
This is actually the first I’ve heard this asserted. Do you have some history to back this up? >> Not Effective: Attackers can easily circumvent this by running their own MX >> (if they don’t do that already) as Laura and others have pointed out. > > "Easily" is easy to say, but often difficult to measure or, at least, get > consensus on. > > The difference between being able to use an established receiving site, for > the conduct of the replay, versus having to have one's own receiving site, is > not zero expense or effort. A DKIM replay attack, in and of itself, is not zero expense or effort. The extra little bit of throwing up a postfix machine to receive one email is trivial in the whole process of standing up spam cannons. The amount of effort and expense professional spammers go to in order to get past filters is significant. [1] > By way of example, open SMTP relays were deemed unacceptable. And they still > are. Broadly speaking, having receivers remove the DKIM signature is a > version of the same design thinking. > > Or perhaps you think open relays are ok, since, after all, attackers can > easily circumvent this? This seems unreasonably snarky and a personal attack. >> We should move onto better ideas. > > Or, we might have thoughtful discussion, that engages carefully with the > substance, before discarding suggestions. I’m not sure why you have settled on stripping the DKIM header as the solution, but it’s not going to be. It’s not even going to slow the folks using DKIM replay down (hint: most of the evidence I’ve seen shows that the attackers are ALREADY using their own MTAs to receive the emails). Multiple people have explained why this isn’t a solution. There’s no point in wasting time on a discussion. Let’s move on to something that will actually address the problem. laura [1] I’m not sure where or why this myth that “spammers won’t pay for anything” and “a small incremental cost is sufficient to stop spammers from a particular technique” came from. It’s deeply wrong and misguided. I’ve been on the phone with spam gangs who are spending tens of thousands a month on infrastructure and running custom code and doing BGP tricks to avoid port25 blocking and a whole host of other things that cost money, time and other resources. -- The Delivery Experts Laura Atkins Word to the Wise la...@wordtothewise.com Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
