Laura Atkins has some pretty cool ideas here: https://wordtothewise.com/2014/05/dkim-injected-headers/ I'd be interested to see if including those headers twice in the signature works, so an altered or second instance of them would fail DKIM.
And have you had success including the t= and/or an aggressive x= (expire time) for free accounts? -- Anna Grace Ward On Fri, Aug 12, 2016 at 2:42 AM, Robert Mueller <r...@fastmail.fm> wrote: > Hi mailop > > So it appears at the moment that we're experiencing a DKIM replay attack > against us. Basically some people are signing up a trial FastMail > account, sending a couple of emails to a gmail account (to get them DKIM > signed by us), and then copying the entire content of the email and > sending it from an AWS instance. > > Because Yahoo uses the DKIM signing domain for it's feedback loop > reporting, we're receiving 100's -> 1000's of reports, even though none > of them were actually sent from our servers. > > Here's what the cut in the Received headers looks like: > > Received: from towersevent.net (ec2-52-2-96-133.compute-1.amazonaws.com > [52.2.96.133]) > by alph136.prodigy.net (8.14.4 IN nd2 TLS/8.14.4) with ESMTP id > u7BDOa9x029274 > for <...@att.net>; Thu, 11 Aug 2016 09:25:57 -0400 > Received: from new1-smtp.messagingengine.com > (new1-smtp.messagingengine.com. ) > by mx.google.com with ESMTPS id > y13si203649qkb.155.2016.08.11.06.16.00 > for <...@gmail.com> > (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 > bits=128/128); > Thu, 11 Aug 2016 06:16:00 -0700 (PDT) > > The bottom Received header shows the jump from us to gmail, but the top > Received header shows that basically they just copied the entire email > content, and sent it from an AWS instance to a @att.net account. > > Obviously we're concerned about this because: > > 1. We only learned about this because yahoo uses DKIM domains for FBL > reporting. If they used IP's, we'd never have known about this > 2. I bet a number of services out there are using the domains in DKIM > signed emails for reputation tracking. So this may be affecting the > reputation of our domains, even though we're not the genuine source of > the majority of the emails. > > Does anyone know if (2) is actually true, or what sites might be doing > to avoid this? I guess checking the uniqueness of b= value in each DKIM > signature to see if it's truly the same email just replayed over and > over is one way? > > That's an interesting thought actually, I wonder if seeing many emails > with the same b= value is an easy way to actually detect spam and/or a > replay attack? > > I can't see an easy way to stop this. It's impossible to block every > single sent spam email ever, and all it takes is one email sent and > signed by us to be able to be replicated as much as anyone wants. > > I know that this is a known problem with DKIM, just wondering if anyone > else has seen this and or dealt with it and has any idea if we should > even be worried about it at all? > > -- > Rob Mueller > r...@fastmail.fm > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop