On 1/16/2024 8:52 AM, Mike Hillyer wrote:
In my discussions, I've been told of malicious parties sending messages
with blank subject headers (not missing, the header name is there with
no value), and adding a second subject header with the payload subject
line, and some MUAs will either show the subject because it is higher up
in the header list, or because the original was blank, but the DKIM
validates because the blank subject header is in the signature and is
the one checked.
Ahh. OK. Oversigning, to prevent sending a version of the message
onward -- but with one or another field added -- is generally viewed as
a Good Thing. I have tried to locate one, but I believe there are some
best practices documents that give advice about doing it.
However it is not what is meant by DKIM Replay.
DKIM Replay re-sends an /unmodified/ copy of the message, where only the
SMTP RCPT-To is different. DKIM doesn't (and can't) cover that SMTP
command.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
