> On Aug 13, 2016, at 9:23 PM, Neil Jenkins <[email protected]> wrote: > > On Sun, 14 Aug 2016, at 02:07 PM, Steve Atkins wrote: >> There is no technical way to prevent DKIM replay attacks. All you can do is >> to make them unattractive, by making mail sent using them less likely to be >> delivered or unprofitable. >> … >> If your business model include 30 days of access with no payment, no credit >> card, no contract and no authentication ... that's going to be part of the >> discussion. > > Sure. The thing is we also have to deal with stolen credit cards and > compromised accounts. We have a number of mechanisms in place to detect and > block abuse at all these levels, but like any mailbox host, we can never hope > to stop 100% of malicious content. > > Rob's original email was to a) ask whether there are any other measures > people are taking that could help with this from the sender side (to which > the answer definitely seems to be "no"); and b) to see whether other > operators incoming spam scanning systems are accounting for this kind of > attack. We're all trying to work together here, and if a legitimate message > from a user at FastMail fails to reach the inbox of a user at Service X, > that's a failure for both of us. Similarly if the situation is reversed.
There's one technical thing that I don't think I've seen discussed. DKIM doesn't say anything about the recipient, it just signs the headers of the message. While DMARC extends DKIM by adding a focus on the From: field there's not really anything parallel for the To: and Cc: fields. If there were a protocol that said "if you receive mail signed by this domain / this key and the recipient isn't in the To: or Cc: field, block it", or some similar protocol that signed the envelope recipient, that would pretty much eliminate DKIM replay as a threat in some cases. I remember discussing that in the early days of DomainKeys spec development, and don't recall why it didn't happen (I vaguely recall hand-waving it with some assumptions that the inexplicable widespread deployment of DMARC proves false?). If DKIM replay attacks are a serious issue - and that's not clear - maybe that'd be worth thinking about? Seems like you could just add a flag to the published DKIM key. Someone must have already thought of this and come up with a good reason not to do it? Cheers, Steve _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
