Robert Mueller пишет: > >> 1. Add timestamp (t=) to DKIM-Signature. It limits replay attacks in >> time. > > Assuming the receiving side looks at it. But you probably mean the x= > tag anyway to set the expiry time, the RFC explicitly says though: > > INFORMATIVE NOTE: The "x=" tag is not intended as an anti- replay > defense. > > Anyway, if you look at the Received headers I posted: > > Thu, 11 Aug 2016 09:25:57 -0400 > ... > Thu, 11 Aug 2016 06:16:00 -0700 (PDT) > > So it took about 10 minutes from Receiving the email at gmail until > the were sending it from AWS. Having an expiry time that's < 10 > minutes in the future from when a message is sent is pretty dangerous. > All it takes is a small problem on the receiving side for an email to > be delayed 10 minutes. > >> 2. Use per-user selectors with different keys (as it was advised) and >> remove DKIM records if replay attack is detected or simply switch to >> new selector if per-user keys are impossible. > > As I previously noted... the timeline between signup a new account, > send one email, copy it and mass send via AWS instance could all be > done in minutes, and then thrown away. By the time you revoke the > selector, 1000's of emails have already been delivered. Sure it'll > stop future reusing that particular account, but they can easily just > move on to a new account already. > >> 3. Do not DKIM-sign messages and/or use different domains for trial >> accounts. If you have antispam with score, you can set some limits to >> sign / not sign messages with DKIM based on the score. > > At the moment it's trial accounts, but we also see plenty of accounts > with stolen credit cards, or long term accounts that are stolen as > well (probably due to password reuse). Determining which accounts to > feed into a separate domain is non-trivial. > > It's also easy for the spammer to test. Signup trial account, send to > gmail. No DKIM signature or wrong domain? Use a credit card to pay. > Still not working? Buy a stolen account on some black market. Still > not working due to message content? just tweak their message content > and keep trying until they get the DKIM signature they want. >
Yes, but it it's even more simple for spammer to e.g. send mail from Gmail to Gmail to get Gmail's DKIM. The fact they didn't probably means Yahoo already uses this as a spam signature. Multiple messages from AWS with the same DKIM from the set of well-known domains with mismatched "To:" is a quite good signature, because nobody expects forwarders on AWS. So, I believe the problem is temporary and will be fixed by Yahoo with routine spam filtering process. > Rob Mueller > r...@fastmail.fm <mailto:r...@fastmail.fm> > -- Vladimir Dubrovin @Mail.Ru
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
