I agree that a large number of recipients is not a requirement for replay attacks. Abusers that target many mailboxes tend to get more attention than those that target small numbers (or one) due to their ability to negatively impact a sender's ability to send mail, and so that's the style of attack that gets discussed the most when talking about mitigation or prevention strategies.
I think the definition of replay requires at least two distinct destination addresses: 1) The originating system's intended recipient for the message. Likely an address under the abuser's control, but message harvesting could happen without this control. 2) The recipient of the replayed message. Without at least these two distinct addresses, the message is presumably being generated with the intent of being delivered to the address that received it. While technically one could redeliver a message to the same address many times, IMO this style of abuse has far less value, so there's less motivation to try to prevent it. On Sun, Apr 20, 2025, 4:01 a.m. Dave Crocker <[email protected]> wrote: > I'm not finding the post, but there was an assertion that DKIM Replay > requires the redistribution to be to /multiple/ recipients. > > I do not see that as essential to the nature of the abuse. > > One can imagine a spearfishing scenario which uses it for a single > recipient. While no, I doubt that is done, and yes, discussion is > always about many additional recipients, I do not see why its technical > or semantic core requires it. > > Rather, that core is simply re-use of the domain name reputation, by > distributing the message further, while retaining the original DKIM > signature. > > d/ > > -- > Dave Crocker > > Brandenburg InternetWorking > bbiw.net > bluesky: @dcrocker.bsky.social > mast: @[email protected] > > _______________________________________________ > Ietf-dkim mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ Ietf-dkim mailing list -- [email protected] To unsubscribe send an email to [email protected]
