On Sun, 30 Jan 2022, Evan Burke via mailop wrote:
This is indeed a replay attack. It's quite widespread and appears to be
focused on taking advantage of domain reputation on the DKIM d= domain for
various email platforms. The end recipients appear to be exclusively Gmail,
as far as I've seen, and are delivered using BCC, leaving the To header
intact.
I recommend including the Date and Subject fields twice in your DKIM
signature h= string, and possibly other key fields; that will break the
original signature if a second such header is later added.
https://tools.wordtothewise.com/rfc/6376#section-8.15
e.g., instead of
h=Message-ID:Subject:From:Reply-To:To:MIME-Version:Content-Type:
Content-Transfer-Encoding:Date;
use
h=Message-ID:Subject:Subject:From:Reply-To:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Date:Date;
What will that do to legitimate messages that pass through
a mailing list that changes the subject line but does not
use DKIM ?
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
