Re: [mailop] Dealing with a DKIM replay attack

2016-08-15 Thread Steve Atkins
> On Aug 15, 2016, at 5:01 PM, Robert Mueller wrote: > >> We're definitely seeing dkim replay attacks and of course doing our best to >> catch them. >> > > Out of curiosity, one thing I thought might be a strong sign of a replay > attack is lots of emails with the same b=

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-15 Thread Bill Cole
On 15 Aug 2016, at 12:17, Tim Starr wrote: I see your point, but why is it so bad to rewrite content links? I am assuming a unique link per mailbox. Change any content of a message and you invalidate any cryptographic signatures. Rewrite links to go through your machines and you're

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-15 Thread Brandon Long via mailop
People assume click tracking, at the least. It's not clear that it would help, anyways, the point of these attacks is use them against another service, you might get some feedback but probably not fast enough to matter, just like the per user dkim selector. Brandon On Aug 15, 2016 9:22 AM, "Tim

Re: [mailop] Dealing with a DKIM replay attack

2016-08-14 Thread Eliot Lear
On 8/14/16 6:46 AM, Steve Atkins wrote: > If there were a protocol that said "if you receive mail signed by this > domain / this key and the recipient isn't in the To: or Cc: field, > block it", or some similar protocol that signed the envelope > recipient, that would pretty much eliminate DKIM

Re: [mailop] Dealing with a DKIM replay attack

2016-08-14 Thread John Levine
>If there were a protocol that said "if you receive mail signed by this domain >/ this key and the recipient isn't in >the To: or Cc: field, block it", or some similar protocol that signed the >envelope recipient, that would pretty much >eliminate DKIM replay as a threat in some cases. It

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-14 Thread Vick Khera
On Fri, Aug 12, 2016 at 7:12 PM, Tim Starr wrote: > The only benefit I can see from sending the exact same message from > somewhere else would be to drive recipients to the same payload link, which > suggests another possible way to stop this from paying off after detection:

Re: [mailop] Dealing with a DKIM replay attack

2016-08-13 Thread Brandon Long via mailop
We're definitely seeing dkim replay attacks and of course doing our best to catch them. I'm sure they have some knock on affects to the service being abused, and of course we'll watch for it and adjust as we need to. Most likely, the most negative consequences will be on forwarding email yet

Re: [mailop] Dealing with a DKIM replay attack

2016-08-13 Thread Steve Atkins
> On Aug 13, 2016, at 8:47 PM, Neil Jenkins wrote: > > On Sun, 14 Aug 2016, at 11:55 AM, Security Desk wrote: >> I think I'd start by not letting random people sign up as >> secure_m...@internet-mail.org > > That has zero relevance to the topic in hand, which is DKIM

Re: [mailop] Dealing with a DKIM replay attack

2016-08-13 Thread Neil Jenkins
On Sun, 14 Aug 2016, at 01:14 AM, John R Levine wrote: > Maybe it's just me, but if I were running a free mail service, I would > make it harder for random strangers to sign up and send mail > like this. Interesting, do tell us what you would do. Because this is what happened: 1. You signed up

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-13 Thread Security Desk
I'd think you could follow the links without rewriting them. -- Security Desk secure_m...@internet-mail.org On Sat, Aug 13, 2016, at 10:52 AM, Brandon Long via mailop wrote: > Doesn't it also make it harder to do spam detected unless you follow > the links? > Brandon > > On Aug 13, 2016

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-13 Thread Brandon Long via mailop
Doesn't it also make it harder to do spam detected unless you follow the links? Brandon On Aug 13, 2016 9:18 AM, "Bill Cole" wrote: > On 12 Aug 2016, at 19:12, Tim Starr wrote: > > The only benefit I can see from sending the exact same message from >>

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-12 Thread Tim Starr
The only benefit I can see from sending the exact same message from somewhere else would be to drive recipients to the same payload link, which suggests another possible way to stop this from paying off after detection: Make it so that all content links get turned into redirects you control, and

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-12 Thread Tim Starr
What Steve said: Unique domains per account, or for different groups. We had to do this for link-tracking domains: userid.example.com instead of links.example.com for all accounts. -Tim On Fri, Aug 12, 2016 at 10:34 AM, Steve Atkins wrote: > > > On Aug 11, 2016, at 5:42 PM,

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-12 Thread Seth Mattinen
On 8/12/16 03:28, Robert Mueller wrote: It's also easy for the spammer to test. Signup trial account, send to gmail. No DKIM signature or wrong domain? Use a credit card to pay. Still not working? Buy a stolen account on some black market. Still not working due to message content? just tweak

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-12 Thread Steve Atkins
> On Aug 12, 2016, at 11:52 AM, Vick Khera wrote: > > On Fri, Aug 12, 2016 at 12:34 PM, Steve Atkins wrote: >> You're vouching for / accepting responsibility for every mail you sign. >> If your users are bad actors - as they are in this case - you're

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-12 Thread Vick Khera
On Fri, Aug 12, 2016 at 12:34 PM, Steve Atkins wrote: > You're vouching for / accepting responsibility for every mail you sign. > If your users are bad actors - as they are in this case - you're accepting > responsibility for that. So if I took any random message that I came

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-12 Thread Robert Mueller
> Laura Atkins has some pretty cool ideas here: > https://wordtothewise.com/2014/05/dkim-injected-headers/ > I'd be interested to see if including those headers twice in the > signature works, so an altered or second instance of them would > fail DKIM. They didn't alter any of the headers or add

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-12 Thread Robert Mueller
> 1. Add timestamp (t=) to DKIM-Signature. It limits replay attacks in > time. Assuming the receiving side looks at it. But you probably mean the x= tag anyway to set the expiry time, the RFC explicitly says though: INFORMATIVE NOTE: The "x=" tag is not intended as an anti-

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-12 Thread Anna Ward
Laura Atkins has some pretty cool ideas here: https://wordtothewise.com/2014/05/dkim-injected-headers/ I'd be interested to see if including those headers twice in the signature works, so an altered or second instance of them would fail DKIM. And have you had success including the t= and/or an

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-12 Thread Paul Smith
On 12/08/2016 01:42, Robert Mueller wrote: 2. I bet a number of services out there are using the domains in DKIM signed emails for reputation tracking. So this may be affecting the reputation of our domains, even though we're not the genuine source of the majority of the emails. Hmm, looking

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-12 Thread Eliot Lear
If I understand what's going on, Y! is doing an OR on DKIM & SPF and in this case, your SPF record is bypassed by the DKIM pass. The only thing to be done on your end is to not publish a DKIM record, and then you're at risk for a prefix hijack, though that is visible to some receivers, and it

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-11 Thread Robert Mueller
> Use a different selector for each account holder, and then revoke > selectors that are abused. That's an interesting idea, but I'm not sure it'll be a big help. The reality is that the timeline between signup a new account, send one email, copy it and mass send via AWS instance could all be

Re: [mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-11 Thread David Harris
Hi Robert, On Aug 11, 2016, at 7:42 PM, Robert Mueller wrote: > I can't see an easy way to stop this. It's impossible to block every > single sent spam email ever, and all it takes is one email sent and > signed by us to be able to be replicated as much as anyone wants. I

[mailop] Dealing with a DKIM replay attack and yahoo's use of DKIM domains for FBL reports

2016-08-11 Thread Robert Mueller
Hi mailop So it appears at the moment that we're experiencing a DKIM replay attack against us. Basically some people are signing up a trial FastMail account, sending a couple of emails to a gmail account (to get them DKIM signed by us), and then copying the entire content of the email and sending