On Wed, Feb 15, 2023 at 8:16 PM Murray S. Kucherawy <superu...@gmail.com> wrote:
> On Wed, Feb 15, 2023 at 2:21 PM Michael Thomas <m...@mtcc.com> wrote: > >> >> There's also the question of whether "x=" is properly enforced. RFC 6376 >> says verifiers "MAY" choose to enforce it. I think I asked about this at a >> conference recently and was told that it's not universally supported by >> implementations. >> >> Others have said that the enforcement is pretty good. But I have no way >> to evaluate if that's true. >> > > I don't think we're saying different things. I remember the point of the > answer I got in that session being that most, but not all, implementations > check or enforce signature expiration. But that means if "x=" is the > solution we land on, we have to accept that a possibly-significant part of > the ecosystem won't be able to use that solution. > > Then again, anything new we roll out is going to take a while to become > universal anyway. > The short version is that x= works where it matters at the moment. As far as I've seen and heard from others, DKIM replay spam currently focuses heavily on replaying to recipients at just a few of the top 10 global mailbox providers. This is for reasons of economies of scale - roughly speaking, it might be viable to spend 1000 hours finding a way through the filters of a provider operating 200 million mailboxes, where it is not for a provider hosting 20 million. This is part of why I don't think we'll see replay attacks expand significantly to more domains; replay is just one ingredient in a larger spam recipe that takes a lot of other fine-tuning to achieve its intended effect. This has implications for rollout as well. I think the ideal solution would enable affected signers/verifiers to deal with the problem, while everyone else can ignore it entirely (until/unless they do see a problem). I think a count-based approach could do exactly that.
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim