On Mon, Feb 13, 2023 at 10:42 AM Michael Thomas <[email protected]> wrote:
> > On 2/13/23 2:49 AM, Laura Atkins wrote: > > > > Basically saying if you're not filtering outbound mail for abuse, > > you're part of the problem. > > > > I don’t see how that’s relevant to the discussion here. > It's extremely relevant. If you don't want to be viewed as a spamming > domain, do your part to not send spam. This really isn't rocket science. > > > > Most of the outbound mail is not detectable as spam (it’s not sent in > > bulk and it is sent to opt-in email addresses). So it won’t catch the > > send-one-message-to-myself case. If we’re looking at linking to spam > > landing sites, it’s trivial for the site to show one thing during the > > initial send and then be a wholly different site when it’s sent by the > > spammer. > According to some others here, the spammers have to go to elaborate ends > to not have it detected as spam. I don't recall if they specified > whether it was incoming or outgoing (or both) that they needed to evade. > Both - the spam group executing these replay attacks engages in extensive testing to identify and exploit any weakness in inbound and outbound filters. DKIM replay using a good-reputation signing domain is one way through certain inbound filters. Manual testing of different content, to find what's least suspicious, is a way through both outbound and inbound filters. (DKIM replay is not their only way through inbound filters, but it's what we're here to talk about.) No reasonable large-scale sender operates without outbound filtering, but given how much time this spam group spends finding content that passes filtering, and the high amplification factor of replay (1 million to 1 is not unheard of), outbound filtering is a minimally effective defense against replay.
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
