On May 26, 2007, at 3:29 PM, Barry Leiba wrote:
A DKIM signed message can be replayed from other SMTP clients.
This is a desirable feature, but permits abuse when receivers base
message acceptance upon (the reputation of) the DKIM domain.
Are you talking about the scenario wherein you send a message in a
legitimate way and capture the signed message (for instance, you
send a message from your mail-abuse.org address to your own
yahoo.com address), and then you re-send that message, perhaps as
spam, from some other domain (say, spam-is-profitable.com)?
Your example complicates this, as Yahoo adds a signature, whereas the
domain used to send this message does not.
Any message has a potential of becoming spam. Who initiated a
message to a recipient is important in assessment of:
a) reputation, and
b) message acceptance.
Without mitigating conditions, messages signed by yahoo.com will not
safely serve as a basis for either reputation or acceptance.
Perhaps a more likely scenario would be where a bad-actor sends a
message from a DKIM signing domain comprising a large number of users
to some other domain also comprising a large number of users. These
messages might then be reissued from a bot-net within the signing
domain. Soon we'll complete an ongoing process categorizing email
sources, but of about 70 million active email sources, more than half
behave like a bot-net.
Mitigation might need to be better defined:
A) the SMTP RCPT TO is within the signed portion of the message,
B) or when a _confirmed_ SMTP client is within the DKIM domain.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
