On Fri, Oct 08, 2021 at 09:37:34AM +0200, Moritz Müller via dns-operations
wrote:
> > I wonder whether this is an attempt to collect the NSEC3 chain for an
> > off-line dictionary attack? 12 character random names are long enough
> > to sample the space very well, though shorter strings would also do.
>
> That sounds possible, but doesn’t explain the _dmarc/default labels, right?
Indeed the choice of labels is unexplained, a straightforward NSEC3 hash
scan would perhaps use just random 2LDs and QTYPE = A.
I can't think of why a high volume unsolicited mail batch would use DKIM
signatures with random non-existent origin domains, rather than simplky
leave the signatures out. I don't know of any advantages to adding such
DKIM signatures (DKIM signatures that can't be checked and absent DKIM
signatures are supposed to be equivalent).
--
Viktor.
_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
