The only benefit I can see from sending the exact same message from somewhere else would be to drive recipients to the same payload link, which suggests another possible way to stop this from paying off after detection: Make it so that all content links get turned into redirects you control, and can break upon request afterwards if needed. That way, once you detect the problem, you can selectively break the links in the message so that it doesn't work anymore after it has been sent. We had this problem at one of my prior ESPs, where they'd use our link-tracking to camouflage their links so our domain would appear in their messages, not theirs, then they'd send them from somewhere else. The content was illegal enough to qualify for nuking-on-sight of the account by us, and when we nuked the account the links stopped working, too.
-Tim On Fri, Aug 12, 2016 at 1:58 PM, Steve Atkins <[email protected]> wrote: > > > On Aug 12, 2016, at 11:52 AM, Vick Khera <[email protected]> wrote: > > > > On Fri, Aug 12, 2016 at 12:34 PM, Steve Atkins <[email protected]> > wrote: > >> You're vouching for / accepting responsibility for every mail you sign. > >> If your users are bad actors - as they are in this case - you're > accepting > >> responsibility for that. > > > > So if I took any random message that I came upon signed by you and > > spammed the world with it, you take responsibility for that? > > I would take responsibility for the message, yes. It's a message I signed > and sent. That doesn't change just because it was forwarded to you by > someone else. > > The sole reason for DKIM to be based on a body signature is that there > is very little benefit to a bad actor taking someone else's mail and > resending > it with identical content, and when it comes to spam our mitigation is > primarily > financial. > > For example, I receive mail from my bank. It's DKIM signed so I know it's > mail from my bank. I can take a thousand copies and send them to other > people, and they too will know it's mail from my bank. What I can't do is > change the account number, or the message, or the links in the mail. Once > I do that, it's no longer mail from my bank. > > This works pretty well until you allow malicious parties to inject their > own content > into mail that you take responsibility for by signing it with DKIM. > > On most levels there's no deception going on by fastmail or their > customers. > Fastmail vouched for the message, as it was sent by one of their users. > They're > still vouching for that identical message, even when it's sent from > elsewhere. > > There's nothing particularly new here. It's all pretty well understood, > and even > discussed a little in the DKIM RFC. And there's not really anything to > "fix" other > than understanding that a DKIM signature just tells you it's a message > sent by > someone the domain owner trusts enough to sign their mail. If that domain > is > wellsfargo.com or paypal.com or whitehouse.gov that tells me one thing > about the > message. If the domain is yahoo.com, fastmail.com or gmail.com it tells me > another. > > Cheers, > Steve > > > _______________________________________________ > mailop mailing list > [email protected] > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
