On Fri, Feb 17, 2023 at 9:49 AM Michael Thomas <m...@mtcc.com> wrote:
> > Which brings up another question which is applicable to the problem > statement: are mailbox providers like gmail, hotmail, etc getting abused > from these replays? Some spam from whokn...@hotmail.com doesn't seem > like a very good address from arriving spam. For that matter, do bulk > senders even allow their domain to be the From domain? It seems like a > pretty easy way to not affect their reputation is to require that the > mail be sent in the name of somebody else's domain. > There's a good amount of bulk mail sent with d= that doesn't match the visible From domain. Those signatures are typically used for DKIM based complaint feedback loops, and because they grant reputation to "mom&pop" non-technical customers who either don't own a domain or haven't set up DKIM yet. That DKIM d= domain has reputation on its own, independent from the visible From domain reputation. While I'm sure some replay spam is sent where there is a match between these two domains, it's entirely possible that attackers tend to prefer unaligned signatures, because that prevents the replay spam from showing on DMARC reporting for the d= domain being replayed. Taking Alessandro's idea a bit further with that fact in mind - what if we had DMARC-style reporting specific to the d= domain? That could give us useful data about where/when signatures are being used, and if/when they are breaking.
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim