On Thu 05/Jan/2023 20:35:00 +0100 Dave Crocker wrote:
On 1/5/2023 11:03 AM, Wei Chuang wrote:
2. Are there any other kinds of replay scenarios that are an issue now?
I suspect there aren't.
While not exactly ARC replay, we've seen recently that spammers are exploring
munging the ARC headers. One campaign had them swapping a complete ARC
header set into another message. In another they added an incomplete set.
Consequently we're worried about the spammers exploiting ARC vulnerabilities.
There are some possibilities this suggests.
1. We could seek to explore and counter-act all (or a wide range) of replay
scenarios, independent of their type or actual presence. That is, both replays
that are present in the wild and replays that are merely deemed possible, no
matter how or why they do or might occur.
Well, that sounds like the best strategy in the long term, doesn't it?
For example, suppose we can sort out the few legitimate forwarding flows.
Then, we could reject all mail where the envelope recipient doesn't match a To:
or Cc: mailbox. That would counter the vast majority of replay attacks. And
the techniques for doing so are much less tangled than signing the envelope.
Some times it is worth addressing the real weaknesses of a system, rather than
some of the specific attack paths.
2. We could focus only on the know replay efforts so far, independent of type
or degree of threat.
3. We could focus only on known, significant replay efforts.
4. and so on...
Of these, only 4 ensures focused, pragmatic efforts,
Eh? You mean the "and so on..."?
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
