On 4/23/2025 3:31 PM, Allen Robinson wrote:
On Wed, Apr 23, 2025 at 8:13 AM Alessandro Vesely <[email protected]> wrote:
While a large number of recipients is not a requirement, a
spear-phishing
message addressed to a single recipient can more easily be sent
directly to
that recipient. Unless the spammer needs to hide all traces of
contact with
the victim, that is.
There is less obvious value in replaying messages to a single
destination, but IMO it still fits the definition of replay.
For the case of a single target, I see some non-zero value in using
the technique. Leveraging a reputable domain's signature to achieve
delivery of a slightly modified message, for example, would involve
some sort of capture+replay.
* I assume we do not have a goal of giving guidance to help bad actors
do a better job of being bad actors
* My own point was not whether bad actors should or will use DKIM
Replay for attacking a single recipient, but merely that it is
feasible. As in "one can imagine". When planning defenses, it is
best to take hypotheticals seriously.
* There is nothing in the essential mechanics of DKIM Replay that need
to care about how many secondary recipients they send to.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
bluesky: @dcrocker.bsky.social
mast: @[email protected]
_______________________________________________
Ietf-dkim mailing list -- [email protected]
To unsubscribe send an email to [email protected]
