Not that this is all that new a question, but I think it might be worthy
of more (and maybe different focus)...
When a message is used in a DKIM Replay Attack:
1. It originates from a domain name having good reputation
2. It passes quality checks from that sending domain
3. It goes to a collaborating receiving site, which presumably means
that site is not conducting quality assessments
4. It is re-posted, preserving the original DKIM signature, but now
becomes an attack
Two thoughts:
1. If the substance of the message should fail a quality assessment,
why does it pass at the outbound (sending) site?
2. If the problem is reasonable content, but sent to many unintended
(or, rather, undeclared) recipients, then the only characteristic of
note is the fact of multiple transmissions. So I'd guess it is only
a real-time network of receivers, working in /very/ close
coordination, to detect and deal with the attack. (it's not
difficult to imagine scattered retransmissions, over time, to hide
the coordination. Sort of a spread spectrum transmission style...)
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim