> On 12 Dec 2022, at 14:34, Murray S. Kucherawy <[email protected]> wrote: > > On Mon, Dec 12, 2022 at 1:13 AM Alessandro Vesely <[email protected] > <mailto:[email protected]>> wrote: > > The alternative is to say: Well, if you can't make at least one of those > > two quantities bulletproof, then don't sign your mail. That, though, > > sounds a lot to me like tossing DKIM in the bin. > > On the opposite, if Gmail restricted signing to accountable users only, its > signatures would gain value. If they started doing so it would soon be > noticed, and signatures would acquire a meaning in delivery decisions. > > Is the cost of imposing a program that vets every user comparable to that of > the damage caused by this attack vector? My impression is that it is not.
I’m not aware of Gmail being a significant victim here - although it’s possible they are. > Endowing signatures with a significant value increases the overall value of > DKIM. > > Presumably they already have significant value. That's why this attack works > already. They’re an identity of a known sender that invests time and resources into building and managing their reputation. Google? Maybe not. But the email service providers who do a lot to keep the spammers off their network are a common victim. These spammers know that they get better delivery if their mail is signed by the email service provider. The email service provider’s detectors and defenses are enough to stop the spammer from being able to send through the ESP. So the spammer sends one email to an account they own and takes a reputation they’ve already been told they shouldn’t be using. A DKIM signature is an identity. That identity has a reputation. Attacks that borrow the identity belonging to senders with good reputation benefit from that reputation. It’s not about any DKIM signature. It’s not about a random DKIM signature. It’s about a known entity. Even if Gmail only signed mail from accountable users, there is still the possibility of spammers posing as accountable users. The whole idea of a DKIM replay attack is that this is mail that cannot be directly sent through the infrastructure of the domain owner. That, itself, implies the domain owners are doing quite a bit to stop the spam from coming out of their network. If they weren’t doing a good job then replay attacks wouldn’t be happening - the mail would just be sent over that network directly. Asking for the domain owners to “stop sending spam” when the whole replay process indicates they are stopping spam out of the networks they control seems a bit of a non-starter to me. > The question is whether we should proclaim that the bar needs to be even > higher, maybe even an all-or-nothing proposition. I'm suggesting that's not > a good idea. Agreed. laura -- The Delivery Experts Laura Atkins Word to the Wise [email protected] Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
