On Wed, Dec 14, 2022 at 3:54 PM Jim Fenton <[email protected]> wrote:
> > I’m not an ESP, of course, but it seems like they need to do more vetting > of new customers (like perhaps manually reviewing their mailings) until > they are convinced those new customers are good actors. I realize this is > an expensive thing to do, but the ESPs are, after all, loaning their good > email reputation to their customers and they need to protect that. Because > of relays, this needs to be done even if those customers appear to be > sending to a relatively small list of recipients. > As pointed out in another response, the amplification factor of replays means that signup anti-spam systems which are 99% effective are not good enough; even manual review is imperfect at scale. All it takes is a single malicious account to get through review, and you can have millions of replays happening. Responding more generally to some of the other questions about the structure of these messages/attacks, and why various proposed detection methods aren't useful: - SPF? They just change the MFROM, that can't be signed; no mechanism exists that enforces DKIM d= and MFROM domain alignment, and a significant amount of legitimate mail does not align between those two domains, so that's not a useful reputation identifier. - DMARC? Attacker controls the From domain, or uses a shared domain with no DMARC record or with a p=none record. - DNSBLs? Most DNSBLs don't have spamtrap representation at large consumer mailbox providers, so they're blind to this spam. - Limited ipv4 space? You can find a lot of non-sequential, clean enough IPs if you spend time and effort on it. (And they do.) - Large sets of RCPT TOs? Attackers replay messages individually instead, just like legitimate high volume email delivery systems.
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
