[Ietf-dkim] Re: Replay abuse, was New Version Notification for draft-crocker-dkor-00.txt

[Bron Gondwana]

On Fri, Jun 13, 2025, at 12:46, Alessandro Vesely wrote:
> On Thu 12/Jun/2025 18:03:51 +0200 Bron Gondwana wrote:
>> (duplicate i=1)
>> DKIM2: i=1; mf=droc...@bbiw.net; rt=c...@fastmailteam.com;
>>         d=bbiw.net *(correctly signed as above)
*DKIM2: *i=1*; mf=dkim-bou...@badguy.com; rt=p...@episteme.net;
>>         d=*badguy.com*
>> 
>> (duplicate i=2, one of each aligns each way)
>> DKIM2: i=1; mf=droc...@bbiw.net; rt=c...@fastmailteam.com;
>>         d=bbiw.net *(correctly signed as above)*
>> DKIM2: i=2; mf=dkim2-boun...@fastmailteam.com rt=br...@fastmailteam.com;
>>         d=fastmailteam.com *(correctly signed as above)*
>> DKIM2: *i=2*; mf=dkim2-bou...@badguy.com; rt=intermedi...@badguy.com;
>>         d=*badguy.com
*DKIM2: i=3; mf=dkim2-bou...@badguy.com; rt=intermedi...@badguy.com;
>>         d=*badguy.com*
> 
> 
> Isn't the classical DKIM replay pattern something like this:
> 
> DKIM2: i=1; mf=a...@gmail.com; rt=bad...@intermediate.com;
>         d=gmail.com *(correctly signed once)*
> DKIM2: i=2; mf=bad...@intermediate.com rt=victi...@fastmail.com;
>         d=intermediate.com *(correctly signed thousands of times)*


Sure but you can very quickly tell that intermediate.com is the source of the 
bad traffic here, whereas right now you can do:

mf=invoi...@paymentgateway.com rt=throwa...@gmail.com and get a legit looking 
invoice from a legit company that sends out invoices by creating an account 
with them, grab the content of that (correctly signed message) and then send 
millions of DKIM signed messages:

mr=invoi...@paymentgateway.com rt=vict...@example.com
mr=invoi...@paymentgateway.com rt=vict...@example.com

Sure the "To:" address in the headers is throwa...@gmail.com, but you can make 
that something plausible like "To: Renew Your Norton Subscription 
<softwarediscountclubmailingl...@gmail.com>".  And there's no way right now for 
example.com to know if they were a Bcc on the message from paymentgateway.com 
or not.

In the DKIM2 replay example you give above, it's clear that intermediate.com 
created the thousands of messages.

In regular DKIM replay, paymentgateway.com only signed a message once, and sent 
it to the attacked-controlled throwaway at gmail.  The remaining messages could 
be sent from anywhere in the world and they would still pass DKIM checks 
despite having a new destination that paymentgateway.com was never aware of.

In DKIM2, someone who is signing is always are of who the next hop is, and how 
many distinct next addresses they're signing for.  

So if intermediate.com was an innocent forwarding service rather than the 
attacker, they would be able to rate limit their forwaring service to not be 
used to forward to thousands of different recipients.  No hop can create a 
signature without knowing who the next recipient is under DKIM2.

Bron.

--
  Bron Gondwana, CEO, Fastmail Pty Ltd
  br...@fastmailteam.com


_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org