We're definitely seeing dkim replay attacks and of course doing our best to
catch them.
I'm sure they have some knock on affects to the service being abused, and
of course we'll watch for it and adjust as we need to.
Most likely, the most negative consequences will be on forwarding email yet
agai
> On Aug 13, 2016, at 9:23 PM, Neil Jenkins wrote:
>
> On Sun, 14 Aug 2016, at 02:07 PM, Steve Atkins wrote:
>> There is no technical way to prevent DKIM replay attacks. All you can do is
>> to make them unattractive, by making mail sent using them less likely to be
>> delivered or unprofitabl
On Sun, 14 Aug 2016, at 02:07 PM, Steve Atkins wrote:
> There is no technical way to prevent DKIM replay attacks. All you can
> do is to make them unattractive, by making mail sent using them less
> likely to be delivered or unprofitable.
> …
> If your business model include 30 days of access with
> On Aug 13, 2016, at 8:47 PM, Neil Jenkins wrote:
>
> On Sun, 14 Aug 2016, at 11:55 AM, Security Desk wrote:
>> I think I'd start by not letting random people sign up as
>> secure_m...@internet-mail.org
>
> That has zero relevance to the topic in hand, which is DKIM replay attacks.
> But jus
On Sun, 14 Aug 2016, at 11:55 AM, Security Desk wrote:
> I think I'd start by not letting random people sign up as
> secure_m...@internet-mail.org
That has zero relevance to the topic in hand, which is DKIM replay
attacks. But just to address that anyway: this is "enumerating badness",
#2 on the l
Security Department wrote:
> PS: SMS to the same throwaway Google Voice number, by the way
There's no need for even that level of planning given the bajillions of
services like https://smsreceivefree.com/
SMS verification will slightly deter bot signups, but it's less annoying
to do using a thr
I probably wouldn't let random signups use this address, either.
--
Security Department
p0stmas...@fastmail.com
PS: SMS to the same throwaway Google Voice number, by the way
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin
I think I'd start by not letting random people sign up as
secure_m...@internet-mail.org
--
Security Desk
secure_m...@internet-mail.org
On Sat, Aug 13, 2016, at 03:50 PM, Neil Jenkins wrote:
> On Sun, 14 Aug 2016, at 01:14 AM, John R Levine wrote:
>> Maybe it's just me, but if I were running
On Sun, 14 Aug 2016, at 01:14 AM, John R Levine wrote:
> Maybe it's just me, but if I were running a free mail service, I would
> make it harder for random strangers to sign up and send mail
> like this.
Interesting, do tell us what you would do. Because this is what
happened:
1. You signed up fo
Bill,
Thanks for bringing up all those points. While perhaps the practical
implications of the TLS1.0's brokenness may not be as applicable to email, it
doesn't mean ESPs should automatically be satisfied with the status quo. If
most vendors have found a way to implement TLS 1.1 and 1.2 then
I'd think you could follow the links without rewriting them.
--
Security Desk
secure_m...@internet-mail.org
On Sat, Aug 13, 2016, at 10:52 AM, Brandon Long via mailop wrote:
> Doesn't it also make it harder to do spam detected unless you follow
> the links?
> Brandon
>
> On Aug 13, 2016 9:1
Doesn't it also make it harder to do spam detected unless you follow the
links?
Brandon
On Aug 13, 2016 9:18 AM, "Bill Cole"
wrote:
> On 12 Aug 2016, at 19:12, Tim Starr wrote:
>
> The only benefit I can see from sending the exact same message from
>> somewhere else would be to drive recipients
On 12 Aug 2016, at 19:12, Tim Starr wrote:
The only benefit I can see from sending the exact same message from
somewhere else would be to drive recipients to the same payload link,
which
suggests another possible way to stop this from paying off after
detection:
Make it so that all content lin
Hi, security desk here.
We note that the Let's Encrypt cert for https://chilli.nosignal.org
expired in February. That usually means that the cron job that's supposed
to renew it doesn't work.
If you are unable to solve this problem on your own, we can of course
offer some highly secure and
Maybe it's just me, but if I were running a free mail service, I would
make it harder for random strangers to sign up and send mail like this.
All addresses are real, write to them and I'll write back.
Regards,
John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY
Please consider t
15 matches
Mail list logo