On Sun, 14 Aug 2016, at 11:55 AM, Security Desk wrote: > I think I'd start by not letting random people sign up as > [email protected]
That has zero relevance to the topic in hand, which is DKIM replay attacks. But just to address that anyway: this is "enumerating badness", #2 on the list of six dumbest ideas in computer security[1]. Apart from the fact that legitimate users have email addresses that aren't necessarily first.last and might be something generic and anonymous, there's simply no end to the various forms you might use as part of a phishing attack. It's pointless to try to block them all, and still doesn't address the issue of the actual email being sent. > I probably wouldn't let random signups use this address, either. > [email protected] Of course not. Any I guess you wouldn't allow postmastar@... postmasler@… either. But why stop there? I'm sure we can think of more similar looking variants to block. But then I have to ask, what exactly is your threat model you're protecting against here? It's not for any RFC defined purpose (only postmaster@ will do). It's not for phishing our own customers, because you can pretty much put anything there: we've seen most people that fall for phishing will do so for a message from [email protected], and so we've put our effort into detecting and blocking the mass phishing attempts as they arrive and making it easy to identify legitimate messages from our staff. And I presume it's not for phishing some random other service, as then the bit before the @ has even less relevance, as you're presuming they're going to ignore the domain as well? Anyway, back to the topic in hand. DKIM replay attacks… Neil. Links: 1. http://www.ranum.com/security/computer_security/editorials/dumb/
_______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
