On Sat, Dec 10, 2022 at 7:42 PM Michael Deutschmann <[email protected]> wrote:
> It's a bit annoying that after almost two weeks, the only responses in > this thread have been about this side issue, with my main point > unaddressed. > As I read your original post, it was about DKIM+DMARC being an anti-forgery tool, not an anti-spam tool. While that may be true, what's being discussed is the replay attack involving DKIM irrespective of DMARC. DKIM's not an anti-forgery tool by itself. The domain in the "d" tag doesn't have to be the same as the domain in the From field for a signature to be valid. The problem being brought to this community is that replay -- which in 2011 we didn't think would be a big deal -- has apparently become a problem. The focus is dealing with this in DKIM, if possible, irrespective of how it might impact DMARC. Since the focus of your original post seemed to be at a level above where DKIM does its work, I thought it was unrelated to the problem being discussed. > If your configuration is not Baka, then you have nothing to fear from the > replay attack. The replay attack only allows an attacker to pretend to > *continue* to own an e-mail address they just lost; it never lets them > impersonate someone who already has a good reputation. > Pop culture references aside, I don't follow this. If I send a piece of spam from this account to another, it will be signed by Gmail (assuming their filters pass it). Then from that other account I can spray it to as many recipients as I want so long as the only thing I change is the envelope. The signature remains intact, and its delivery to those domains checking such things will be predicated on the validity of that signature. I haven't "lost" my email address; I can repeat this attack as many times as I want. And I (via Gmail) have a globally good reputation. This is the concern that I understand is being discussed. If you are Baka but apply a downscore for blind-carbon-copy of > equal-or-greater magnitude than your Baka upscore, you are also immune to > the replay attack. But you will still be wide open to other spammers. > First, if this is the advice verifiers/receivers should be applying, then it would be a good idea to write it down someplace so it can be found. I don't know that this has been done yet. Has it? Second, how would one establish "magnitude" given that the final recipient has no idea what the original envelope looked like? -MSK
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
