> 1. Add timestamp (t=) to DKIM-Signature. It limits replay attacks in > time.
Assuming the receiving side looks at it. But you probably mean the x= tag anyway to set the expiry time, the RFC explicitly says though: INFORMATIVE NOTE: The "x=" tag is not intended as an anti- replay defense. Anyway, if you look at the Received headers I posted: Thu, 11 Aug 2016 09:25:57 -0400 ... Thu, 11 Aug 2016 06:16:00 -0700 (PDT) So it took about 10 minutes from Receiving the email at gmail until the were sending it from AWS. Having an expiry time that's < 10 minutes in the future from when a message is sent is pretty dangerous. All it takes is a small problem on the receiving side for an email to be delayed 10 minutes. > 2. Use per-user selectors with different keys (as it was advised) and > remove DKIM records if replay attack is detected or simply switch > to new selector if per-user keys are impossible. As I previously noted... the timeline between signup a new account, send one email, copy it and mass send via AWS instance could all be done in minutes, and then thrown away. By the time you revoke the selector, 1000's of emails have already been delivered. Sure it'll stop future reusing that particular account, but they can easily just move on to a new account already. > 3. Do not DKIM-sign messages and/or use different domains for trial > accounts. If you have antispam with score, you can set some limits > to sign / not sign messages with DKIM based on the score. At the moment it's trial accounts, but we also see plenty of accounts with stolen credit cards, or long term accounts that are stolen as well (probably due to password reuse). Determining which accounts to feed into a separate domain is non-trivial. It's also easy for the spammer to test. Signup trial account, send to gmail. No DKIM signature or wrong domain? Use a credit card to pay. Still not working? Buy a stolen account on some black market. Still not working due to message content? just tweak their message content and keep trying until they get the DKIM signature they want. Rob Mueller r...@fastmail.fm
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop