On Tue 08/Aug/2023 16:47:23 +0000 Murray S. Kucherawy wrote:
On Tue, Aug 8, 2023 at 9:25 AM Alessandro Vesely <ves...@tana.it> wrote:
On Tue 08/Aug/2023 14:47:37 +0000 Murray S. Kucherawy wrote:
On Tue, Aug 8, 2023 at 7:17 AM Scott Kitterman <ietf-d...@kitterman.com> wrote:

That's true of all indirect mail flows. It's not a distinguishing feature of the attack.

Quite right, making this harder to pin down.

But, to Alessandro's point, I do think the description in the document is accurate.

Agreed, except for narrating an actual case.  However widespread, there
are people like me who never recognized a replay attack.

What do you mean by "narrating an actual case"?  Section 1.1 does contain a
narrative of how one executes the attack.


Yes, it says DKIM Replay is impossible to detect or prevent with current standards and practices. However, it must have been recognized well enough to grasp the described modus operandi.


Are you talking about a narration of how one detects the attack, as
distinct from a typical indirect mail flow?


I guess a replay attack must engage multiple abuse teams, because of the size. Is the alarm triggered by users reporting many messages as spam? How many abuse teams at different organizations get involved? What is the size of the attack? What emergency measures are taken? At what stage does it become clear that a spam tide is a Replay Attack? What difference does it make such recognition?

I admit these questions are much out of curiosity, but knowing those details could help framing possible solutions. Being completely ignorant about operations at large providers, I don't understand why the research steadfastly turns toward hard flying protocol changes rather than, for example, also investigating how to tune signing policies based on exchanged user reputation, or fast recognition of signed body hashes when they re-emerge from unexpected sources.


Best
Ale
--





_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim

Reply via email to