On Thu 05/Jun/2025 18:37:06 +0200 Allen Robinson wrote:
I haven't had time to read the DKOR drafts so I'm not sure how it would
work in this case. From the discussion on the list, it seems like it would
be similar to the DKIM2 proposal though, from the perspective of replay
mitigation.
AFAIUI, behaving like DKIM2, for replay, is exactly what DKOR is trying to do.
I think it's fair to say that DKIM2 doesn't make it possible to distinguish
between abusive and non-abusive signing. However, a key aspect of DKIM2 is
that it requires that the abuser sign the message to achieve a DKIM2
passing result. Reputation systems work better when there's an
authenticated identity for the message being evaluated.
Fair enough. As of today, replayed messages can be sent with only the original
signature, since DKIM1 allows a forwarder to add its own signature but does not
require it.
DKIM2 or DKOR -compliant servers can outright reject forwarded messages without
a forwarder signature if the domain has p=reject. Or do we need a new p= for this?
Consider a DKIM2 chain for a message to this mailing list. Your initial
post would have a chain like this
i=1 d=tana.it [email protected] [email protected]
The copy delivered to me would have
i=1 d=tana.it [email protected] [email protected]
i=2 d=ietf.org [email protected] [email protected]
And the copy delivered to Bron would have
i=1 d=tana.it [email protected] [email protected]
i=2 d=ietf.org [email protected] [email protected]
The i=1 signature in copies to me and Bron will be identical, because it's
being replayed legitimately. Similarly, both messages likely contain the
same (probably broken) DKIM signature from tana.it.
Unlike DKIM, this chain provides a clear indication that this is happening
and who is responsible for doing it. It is impossible for someone to replay
any of these three messages (your post, or the copy sent to me or Bron) to
a DKIM2 system with a new recipient and get a passing DKIM2 result because
the recipient listed in the signature would not be the same as the one in
the SMTP transaction. There's also protection in requiring that the chain
be contiguous, so you can't maliciously attach a signature containing your
target recipient unless you have a signing key for the receiving domain of
the previous signature.
Here DKOR is going to differ from DKIM2 as the older signatures, once broken,
can no longer be verified. DKOR is more similar to ARC in this respect.
Now to your question of what happens when the receiving domain is
malicious. Let's say that my mail host is actually a malicious system. It
could generate millions of signed copies of the message, like this
i=1 d=tana.it [email protected] [email protected]
i=2 d=ietf.org [email protected] [email protected]
i=3 d=google.com [email protected] rt=<somewhere else>
The systems performing DKIM2 evaluation of these malicious messages would
see the i=1 and i=2 signatures repeatedly, and every message would have a
distinct i=3 listing the recipient for that copy. Seeing the same signature
multiple times is an indication that some sort of replay is happening. By
having the additional information that i=2 is seen repeatedly and i=3 is
not is an indication that the domain in i=3 is the one generating the
replayed messages, and not the domains in i=1 or i=2. Reputation could be
applied to determine whether this system is considered a bad actor or not,
and reputational damage could be accumulated if the messages end up looking
malicious in some way.
Yeah, right. It's the same reasoning as with repeated DKIM1 signatures, or
even repeated checksums. One needs to track reputation (or subscriptions) to
determine legitimacy. As Dave said, there always will be legitimate scenarios
that match replay abuse scenarios.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
