Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

Fri, 12 Aug 2016 03:30:35 -0700 

>  1. Add timestamp (t=) to DKIM-Signature. It limits replay attacks in
>     time.

Assuming the receiving side looks at it. But you probably mean the x=
tag anyway to set the expiry time, the RFC explicitly says though:

         INFORMATIVE NOTE: The "x=" tag is not intended as an anti-
         replay defense.

Anyway, if you look at the Received headers I posted:

Thu, 11 Aug 2016 09:25:57 -0400 ...
        Thu, 11 Aug 2016 06:16:00 -0700 (PDT)

So it took about 10 minutes from Receiving the email at gmail until the
were sending it from AWS. Having an expiry time that's < 10 minutes in
the future from when a message is sent is pretty dangerous. All it
takes is a small problem on the receiving side for an email to be
delayed 10 minutes.

>  2. Use per-user selectors with different keys (as it was advised) and
>     remove DKIM records if replay attack is detected or simply switch
>     to new selector if per-user keys are impossible.

As I previously noted... the timeline between signup a new account, send
one email, copy it and mass send via AWS instance could all be done in
minutes, and then thrown away. By the time you revoke the selector,
1000's of emails have already been delivered. Sure it'll stop future
reusing that particular account, but they can easily just move on to a
new account already.

>  3. Do not DKIM-sign messages and/or use different domains for trial
>     accounts. If you have antispam with score, you can set some limits
>     to sign / not sign messages with DKIM based on the score.

At the moment it's trial accounts, but we also see plenty of accounts
with stolen credit cards, or long term accounts that are stolen as well
(probably due to password reuse). Determining which accounts to feed
into a separate domain is non-trivial.

It's also easy for the spammer to test. Signup trial account, send to
gmail. No DKIM signature or wrong domain? Use a credit card to pay.
Still not working? Buy a stolen account on some black market. Still not
working due to message content? just tweak their message content and
keep trying until they get the DKIM signature they want.

Rob Mueller
r...@fastmail.fm

_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Reply via email to