Re: [mailop] Dealing with a DKIM replay attack

We're definitely seeing dkim replay attacks and of course doing our best to catch them. I'm sure they have some knock on affects to the service being abused, and of course we'll watch for it and adjust as we need to. Most likely, the most negative consequences will be on forwarding email yet

Re: [mailop] Dealing with a DKIM replay attack

> On Aug 13, 2016, at 8:47 PM, Neil Jenkins wrote: > > On Sun, 14 Aug 2016, at 11:55 AM, Security Desk wrote: >> I think I'd start by not letting random people sign up as >> secure_m...@internet-mail.org > > That has zero relevance to the topic in hand, which is DKIM

[mailop] More on preventing phishing

I probably wouldn't let random signups use this address, either. -- Security Department p0stmas...@fastmail.com PS: SMS to the same throwaway Google Voice number, by the way ___ mailop mailing list mailop@mailop.org

Re: [mailop] Dealing with a DKIM replay attack

On Sun, 14 Aug 2016, at 01:14 AM, John R Levine wrote: > Maybe it's just me, but if I were running a free mail service, I would > make it harder for random strangers to sign up and send mail > like this. Interesting, do tell us what you would do. Because this is what happened: 1. You signed up

Re: [mailop] Lack of TLS 1.1/1.2 support on Apple email products

Bill, Thanks for bringing up all those points. While perhaps the practical implications of the TLS1.0's brokenness may not be as applicable to email, it doesn't mean ESPs should automatically be satisfied with the status quo. If most vendors have found a way to implement TLS 1.1 and 1.2 then

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

I'd think you could follow the links without rewriting them. -- Security Desk secure_m...@internet-mail.org On Sat, Aug 13, 2016, at 10:52 AM, Brandon Long via mailop wrote: > Doesn't it also make it harder to do spam detected unless you follow > the links? > Brandon > > On Aug 13, 2016

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

Doesn't it also make it harder to do spam detected unless you follow the links? Brandon On Aug 13, 2016 9:18 AM, "Bill Cole" wrote: > On 12 Aug 2016, at 19:12, Tim Starr wrote: > > The only benefit I can see from sending the exact same message from >>

[mailop] Expired certificate at https://chilli.nosignal.org

Hi, security desk here. We note that the Let's Encrypt cert for https://chilli.nosignal.org expired in February. That usually means that the cron job that's supposed to renew it doesn't work. If you are unable to solve this problem on your own, we can of course offer some highly secure and