Replay Abuse Damaging Signature Acceptance: Company X sends out a newsletter offered by free subscriptions verified with a double-opt-in process. A similar situation to that of a list- server or a free email-address provider. Company X signs their newsletter with the expectation that the signature improves the acceptance of their messages.
Bad-Actor Y subscribes to newsletter of Company X using a free email- address obtained from a large Domain Z. Bad-Actor Y receives the newsletter, and redistributes the newsletter through pirate systems with the intent of damaging the acceptability of Company X signatures. The motivation may be extortion, disrupting competition, or a senseless act of vandalism. As it happens, Company X makes a separate signature for each recipient and responds by excluding the email-address used by Bad-Actor Y when they issue their next newsletter. Domain Z is very large and there are always new subscriptions from this domain. This time a different email- address from Domain Z has again redistributed the newsletter. Company X was warned initially, and now appears on a block-list where the unintended distribution has made Company X appear to be a spammer. A reputation service would be unable to respond with "bad" signatures in a timely fashion to effectively squelch a rapid redistribution. Company K within the same industry decides Company X is playing unfairly and that they too should send newsletters anywhere and blame complaints on a message replay abuse problem, just as Company X has done. Company X is a good actor, and Company K is a bad actor, but both appear to be signing messages sent to unsubscribed recipients. This problem will exit within any free-email domain, a large domain subjected to compromised systems, and list-servers, in addition to other scenarios. A conclusion soon likely reached by many recipients will be that signatures, due to replay abuse effectively removing outbound constraints, are worthless as a means for basing acceptance. While some may view DKIM offering value by removing non-conforming messages, even this mechanism is easily circumvented. A Low Administrative Solution Insensitive to High Latency: Just as email domains check lists when deciding to receive a message, they now also check a list to decide whether to sign, or perhaps even send a message. With this paradigm, as a best practice, to ensure Company X that it is safe for them to send their newsletter, Domain Z replaces the incoming signature with an MDA specific signature at the edge of their AdmD. An MDA specific signature can not be used to resend a message, but still allows users of Domain Z to be assured the message is valid, and the completed by Domain Z when the message first arrived. Domains not replacing the incoming signature with an MDA signature are at risk of either receiving messages unsigned or perhaps not receiving messages at all once DKIM becomes more widely adopted. Impact: "Thin" mediators should not be used as this interferes with assessing the behavior of the destination and may subject the "Thin" mediator to being assessed as an abusive destination. Closed Email-address policies become more problematic when the decision not to sign may also cause the message to not be accepted. Initially, a DKIM-Adopters list may help remedy this problem. -Doug _______________________________________________ ietf-dkim mailing list http://dkim.org
