On Wed, Aug 30, 2023 at 1:18 AM Laura Atkins <[email protected]> wrote:
> > > On 29 Aug 2023, at 19:07, Dave Crocker <[email protected]> wrote: > > Not that this is all that new a question, but I think it might be worthy > of more (and maybe different focus)... > > When a message is used in a DKIM Replay Attack: > > 1. It originates from a domain name having good reputation > 2. It passes quality checks from that sending domain > 3. It goes to a collaborating receiving site, which presumably means > that site is not conducting quality assessments > 4. It is re-posted, preserving the original DKIM signature, but now > becomes an attack > > Two thoughts: > > 1. If the substance of the message should fail a quality assessment, > why does it pass at the outbound (sending) site? > > Spam isn’t really about substance, though, it’s about being unwanted and > volume. A lot of things outbound folks use to identify spam require volume > - like ‘is this audience similar to the audience we’ve seen report high > levels of spam in the past’ or ‘does this send to addresses we know receive > a lot of spam’ or ‘is this account sending to a lot of bad addresses’. > There are other checks, like ‘does this email contain a link pointing to a > hostname on any of these DNSBLs’ - but that’s trivially solved by just > pulling out a link that isn’t on a DNSBL. The professional spam gangs, who > are likely behind the attacks, have a deep bench of domains that they pull > in and out of circulation on a regular basis. > > This also doesn’t address the problem that Google mentioned where they saw > Youtube alerts / welcome messages replayed, possibly as a way to create a > good IP reputation. > +1 to the points above, especially about professional spam gangs that have the resources to bypass the outbound spam protections. > > 1. If the problem is reasonable content, but sent to many unintended > (or, rather, undeclared) recipients, then the only characteristic of note > is the fact of multiple transmissions. So I'd guess it is only a real-time > network of receivers, working in /very/ close coordination, to detect and > deal with the attack. (it's not difficult to imagine scattered > retransmissions, over time, to hide the coordination. Sort of a spread > spectrum transmission style...) > > My understanding is that one of the primary ways to ID a replay is using > Google postmaster tools and seeing increases in their graphs without a > corresponding increase in volume from their systems. > +1. Also getting at Dave's point about creating meaningful signals out of the replay spam amplification, yes, the magnitude and shape might be helpful. The Yahoo signature counting certainly represents using magnitude as a signal and presumably in their distributed system they have some framework that effectively evaluates these thresholds. But a caveat, at a certain threshold, large mailing-lists broadcasts are going to look similar to spam attacks. A different tack is the notion of getting spammers to declare and sign their recipients (DARA). If they do, then it provides a forwarding identity to associate with the amplified traffic pattern. And if they don't, then block that traffic. -Wei laura > > -- > The Delivery Expert > > Laura Atkins > Word to the Wise > [email protected] > > Delivery hints and commentary: http://wordtothewise.com/blog > > > > > > > _______________________________________________ > Ietf-dkim mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/ietf-dkim >
_______________________________________________ Ietf-dkim mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf-dkim
