On 9/2/10 11:23 AM, Rolf E. Sonneveld wrote: > Hi, Murray, > > On 09/02/2010 07:42 PM, Murray S. Kucherawy wrote: >>> On Thursday, September 02, 2010 10:35 AM Alessandro Vesely wrote: >>> >>> However, the other issue is to break or remove author domain >>> signatures. John has pointed this out since a long time, for FBL >>> reasons. Doug has brought out the same issue for replaying attacks >>> aimed at breaking reputation, because replaying is definitely out of >>> control in case of publicly distributed messages. >> What's the danger of replaying legitimate mail, other than to cause volume >> detection alarms to go off? > I think Doug was not talking about replaying legitimate mail but illegit > mail. I believe Doug described this scenario in one of his previous > messages either on domainrep or here on this list (Doug, excuse me if > this summary lacks the nuances): > > Someone sends a spam-type message from a large ESP to a mailbox he owns, > somewhere on the Internet. The message is DKIM signed by the ESP. The > spammer then takes the entire message including complete headers, and > replays it using different envelope To: addresses and (optionally) > different envelope From addresses. A verifier find the signature to be > valid and at the end of the day this type of replay will impact the > reputation of the ESP. Rolf,
You're close. Bad-actors can't use different From header fields, because this field MUST be signed. Also, they'll likely have a collection of messages to send en masse within a short period before exploiting different accounts. To defend against this problem, ESP could utilize one of their subdomains to sign their messages, and assert ADSP dkim=tpa-path for their domains used to exchange email. For those that implement ADSP, they would see less spam, and the TPA-Label would also allow providers a means to stipulate which sources they authorize to replay their message. In addition, the TPA-Label also stipulates how SMTP clients are to be authenticated prior to acceptance, to make this easier for recipients. This should also offer ESPs a level of protection from lax reputation services that fail to authenticate the domains being assessed. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
