On Sun, 25 Dec 2022, you wrote: >> It's easy to sort wanted mail between forwards/mailing-lists and normal >> narrow-casted mail. Spam can masquerade as either; but if possible a >> spammer would want to look like narrow-casted mail as that is the only >> kind that could be expected to arrive from a stranger. To use this >> exploit, they must give that up. >> > If you're talking about replay, I don't understand "must". The replay > attack under discussion works fine if it's unicast.
The spammer wants it to *look* unicast, not actually be unicast. That means the From: and To: align with MAIL FROM: and RCPT TO:, and that the single From: address passes all available forgery checks. The To: header is covered by DKIM, hence the spammer *has* to use a generic To: that can be correct for at most a single intended victim. While in theory he could do the trick once for each victim, that's silly as it means one pass through the singer-victim's smarthost *per* spam victim. He's giving up the advantage of blinding his signer-victim's Abuse Desk to the true "fan-out" of his e-mail, which is the only reason to consider this hack. ---- Michael Deutschmann <[email protected]> _______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
