On 15 Aug 2016, at 12:17, Tim Starr wrote:
I see your point, but why is it so bad to rewrite content links? I am
assuming a unique link per mailbox.
Change any content of a message and you invalidate any cryptographic
signatures.
Rewrite links to go through your machines and you're
People assume click tracking, at the least.
It's not clear that it would help, anyways, the point of these attacks is
use them against another service, you might get some feedback but probably
not fast enough to matter, just like the per user dkim selector.
Brandon
On Aug 15, 2016 9:22 AM, "Tim
On Fri, Aug 12, 2016 at 7:12 PM, Tim Starr wrote:
> The only benefit I can see from sending the exact same message from
> somewhere else would be to drive recipients to the same payload link, which
> suggests another possible way to stop this from paying off after detection:
I'd think you could follow the links without rewriting them.
--
Security Desk
secure_m...@internet-mail.org
On Sat, Aug 13, 2016, at 10:52 AM, Brandon Long via mailop wrote:
> Doesn't it also make it harder to do spam detected unless you follow
> the links?
> Brandon
>
> On Aug 13, 2016
Doesn't it also make it harder to do spam detected unless you follow the
links?
Brandon
On Aug 13, 2016 9:18 AM, "Bill Cole"
wrote:
> On 12 Aug 2016, at 19:12, Tim Starr wrote:
>
> The only benefit I can see from sending the exact same message from
>>
The only benefit I can see from sending the exact same message from
somewhere else would be to drive recipients to the same payload link, which
suggests another possible way to stop this from paying off after detection:
Make it so that all content links get turned into redirects you control,
and
What Steve said: Unique domains per account, or for different groups. We
had to do this for link-tracking domains: userid.example.com instead of
links.example.com for all accounts.
-Tim
On Fri, Aug 12, 2016 at 10:34 AM, Steve Atkins wrote:
>
> > On Aug 11, 2016, at 5:42 PM,
On 8/12/16 03:28, Robert Mueller wrote:
It's also easy for the spammer to test. Signup trial account, send to
gmail. No DKIM signature or wrong domain? Use a credit card to pay.
Still not working? Buy a stolen account on some black market. Still not
working due to message content? just tweak
> On Aug 12, 2016, at 11:52 AM, Vick Khera wrote:
>
> On Fri, Aug 12, 2016 at 12:34 PM, Steve Atkins wrote:
>> You're vouching for / accepting responsibility for every mail you sign.
>> If your users are bad actors - as they are in this case - you're
On Fri, Aug 12, 2016 at 12:34 PM, Steve Atkins wrote:
> You're vouching for / accepting responsibility for every mail you sign.
> If your users are bad actors - as they are in this case - you're accepting
> responsibility for that.
So if I took any random message that I came
> Laura Atkins has some pretty cool ideas here:
> https://wordtothewise.com/2014/05/dkim-injected-headers/
> I'd be interested to see if including those headers twice in the
> signature works, so an altered or second instance of them would
> fail DKIM.
They didn't alter any of the headers or add
> 1. Add timestamp (t=) to DKIM-Signature. It limits replay attacks in
> time.
Assuming the receiving side looks at it. But you probably mean the x=
tag anyway to set the expiry time, the RFC explicitly says though:
INFORMATIVE NOTE: The "x=" tag is not intended as an anti-
Laura Atkins has some pretty cool ideas here:
https://wordtothewise.com/2014/05/dkim-injected-headers/
I'd be interested to see if including those headers twice in the signature
works, so an altered or second instance of them would fail DKIM.
And have you had success including the t= and/or an
On 12/08/2016 01:42, Robert Mueller wrote:
2. I bet a number of services out there are using the domains in DKIM
signed emails for reputation tracking. So this may be affecting the
reputation of our domains, even though we're not the genuine source of
the majority of the emails.
Hmm, looking
If I understand what's going on, Y! is doing an OR on DKIM & SPF and in
this case, your SPF record is bypassed by the DKIM pass.
The only thing to be done on your end is to not publish a DKIM record,
and then you're at risk for a prefix hijack, though that is visible to
some receivers, and it
> Use a different selector for each account holder, and then revoke
> selectors that are abused.
That's an interesting idea, but I'm not sure it'll be a big help.
The reality is that the timeline between signup a new account, send one
email, copy it and mass send via AWS instance could all be
Hi Robert,
On Aug 11, 2016, at 7:42 PM, Robert Mueller wrote:
> I can't see an easy way to stop this. It's impossible to block every
> single sent spam email ever, and all it takes is one email sent and
> signed by us to be able to be replicated as much as anyone wants.
I
Hi mailop
So it appears at the moment that we're experiencing a DKIM replay attack
against us. Basically some people are signing up a trial FastMail
account, sending a couple of emails to a gmail account (to get them DKIM
signed by us), and then copying the entire content of the email and
sending
18 matches
Mail list logo