Hi Robert, On Aug 11, 2016, at 7:42 PM, Robert Mueller <[email protected]> wrote: > I can't see an easy way to stop this. It's impossible to block every > single sent spam email ever, and all it takes is one email sent and > signed by us to be able to be replicated as much as anyone wants.
I haven’t used this in practice, but here is a possible solution: Use a different selector for each account holder, and then revoke selectors that are abused. In your DNS setup something like: *.users._domainkey.fastmail.fm TXT "private key here" Then sign mail with a selector like "u1234.users" where 1234 is a unique user identifier. (All of these selectors will have the same private key.) When you detect a DKIM replay attack from a user, for example user 3456, you can delete that selector and make the signature invalid by creating this DNS record to take precedence over the wildcard: u3456.users._domainkey.fastmail.fm TXT "" You’ll have to rotate out the abused selector to mitigate the existing attack. I hope this helps. David Harris _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
