On 2/17/23 4:51 PM, Evan Burke wrote:
On Fri, Feb 17, 2023 at 9:49 AM Michael Thomas <m...@mtcc.com> wrote:
Which brings up another question which is applicable to the problem
statement: are mailbox providers like gmail, hotmail, etc getting
abused
from these replays? Some spam from whokn...@hotmail.com doesn't seem
like a very good address from arriving spam. For that matter, do bulk
senders even allow their domain to be the From domain? It seems
like a
pretty easy way to not affect their reputation is to require that the
mail be sent in the name of somebody else's domain.
There's a good amount of bulk mail sent with d= that doesn't match the
visible From domain. Those signatures are typically used for DKIM
based complaint feedback loops, and because they grant reputation to
"mom&pop" non-technical customers who either don't own a domain or
haven't set up DKIM yet. That DKIM d= domain has reputation on its
own, independent from the visible From domain reputation.
That's a good point about just signing it with your own domain's key.
I've been looking at some of my marketing mail and it looks like that's
relatively common.
Seems like a tradeoff of ease of deployment vs. being a mark for
spammers. Of course mom and pop's domain will likely have little
reputation, but some of the mail I looked at were plenty big enough to
develop their own reputation. This is of course mostly a business domain
problem which this wg can't really say much about.
While I'm sure some replay spam is sent where there is a match between
these two domains, it's entirely possible that attackers tend to
prefer unaligned signatures, because that prevents the replay spam
from showing on DMARC reporting for the d= domain being replayed.
Which, of course, you are free to say no to that.
Mike
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
