We're definitely seeing dkim replay attacks and of course doing our best to catch them.
I'm sure they have some knock on affects to the service being abused, and of course we'll watch for it and adjust as we need to. Most likely, the most negative consequences will be on forwarding email yet again, as spf becomes a stronger signal. Brandon On Aug 13, 2016 9:28 PM, "Neil Jenkins" <ne...@fastmail.com> wrote: > On Sun, 14 Aug 2016, at 02:07 PM, Steve Atkins wrote: > > There is no technical way to prevent DKIM replay attacks. All you can do > is to make them unattractive, by making mail sent using them less likely to > be delivered or unprofitable. > … > If your business model include 30 days of access with no payment, no > credit card, no contract and no authentication ... that's going to be part > of the discussion. > > > Sure. The thing is we also have to deal with stolen credit cards and > compromised accounts. We have a number of mechanisms in place to detect and > block abuse at all these levels, but like any mailbox host, we can never > hope to stop 100% of malicious content. > > Rob's original email was to a) ask whether there are any other measures > people are taking that could help with this from the sender side (to which > the answer definitely seems to be "no"); and b) to see whether other > operators incoming spam scanning systems are accounting for this kind of > attack. We're all trying to work together here, and if a legitimate message > from a user at FastMail fails to reach the inbox of a user at Service X, > that's a failure for both of us. Similarly if the situation is reversed. > > [1] Well, fastmail distinguishes itself by not allowing the bulk spam to > be sent from their network. Allowing that would likely eliminate DKIM > replay attacks... > > > Indeed it might. :) > > Neil. > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop > >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop