On 12/11/22 1:55 PM, Murray S. Kucherawy wrote:
On Sun, Dec 11, 2022 at 1:41 PM Michael Thomas <[email protected]> wrote:
No, I mean that the if number of RCPT-TO's is large, it's
suspicious. Even if they do individual SMTP transactions it will
have the same (signed) Message-Id so that's not evadeable either
in theory.
In the transaction where the signature is applied, there's only one
envelope recipient. When I'm executing the attack, I could do one
envelope per recipient if I'm worried about being detected that way.
If Message-ID isn't covered by the header hash, it can be unique per
envelope.
The spammer doesn't control what the signer signs, of course.
There was a suggestion that the "bh=" could be required to be unique
per MX to avoid replays, but that becomes a potentially gigantic hash
table, so now there's a resource problem imposed on the
receiver/verifier. Even if you key it on Message-ID, you have the
same resource problem.
I dunno, how common is Bcc'ing in real life? I imagine the percentage of
users knowing about it is pretty low. So it would likely be from other
things like marketing campaigns which are certainly common, but also
often is not distinguishable from spam. I don't have any insight into
what good spam filters do, but large RCPT-TO lists seem like they are a
good reason to cast doubt a priori. Given that legit messaging often
ends up in my spam box, it seems plausible they are using it as a signal.
But I want to return to my previous point of whether reputation is even
quantifiable, and whether somebody has actually gone out and researched
it. We can say that this is a problem in theory, but do we have any data
to back it up? I kinda think that should be table stakes before talking
about rechartering.
Mike
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
