Hi mailop
So it appears at the moment that we're experiencing a DKIM replay attack
against us. Basically some people are signing up a trial FastMail
account, sending a couple of emails to a gmail account (to get them DKIM
signed by us), and then copying the entire content of the email and
sending it from an AWS instance.
Because Yahoo uses the DKIM signing domain for it's feedback loop
reporting, we're receiving 100's -> 1000's of reports, even though none
of them were actually sent from our servers.
Here's what the cut in the Received headers looks like:
Received: from towersevent.net (ec2-52-2-96-133.compute-1.amazonaws.com
[52.2.96.133])
by alph136.prodigy.net (8.14.4 IN nd2 TLS/8.14.4) with ESMTP id
u7BDOa9x029274
for <...@att.net>; Thu, 11 Aug 2016 09:25:57 -0400
Received: from new1-smtp.messagingengine.com
(new1-smtp.messagingengine.com. )
by mx.google.com with ESMTPS id
y13si203649qkb.155.2016.08.11.06.16.00
for <...@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256
bits=128/128);
Thu, 11 Aug 2016 06:16:00 -0700 (PDT)
The bottom Received header shows the jump from us to gmail, but the top
Received header shows that basically they just copied the entire email
content, and sent it from an AWS instance to a @att.net account.
Obviously we're concerned about this because:
1. We only learned about this because yahoo uses DKIM domains for FBL
reporting. If they used IP's, we'd never have known about this
2. I bet a number of services out there are using the domains in DKIM
signed emails for reputation tracking. So this may be affecting the
reputation of our domains, even though we're not the genuine source of
the majority of the emails.
Does anyone know if (2) is actually true, or what sites might be doing
to avoid this? I guess checking the uniqueness of b= value in each DKIM
signature to see if it's truly the same email just replayed over and
over is one way?
That's an interesting thought actually, I wonder if seeing many emails
with the same b= value is an easy way to actually detect spam and/or a
replay attack?
I can't see an easy way to stop this. It's impossible to block every
single sent spam email ever, and all it takes is one email sent and
signed by us to be able to be replicated as much as anyone wants.
I know that this is a known problem with DKIM, just wondering if anyone
else has seen this and or dealt with it and has any idea if we should
even be worried about it at all?
--
Rob Mueller
r...@fastmail.fm
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
