> On Aug 15, 2016, at 5:01 PM, Robert Mueller <[email protected]> wrote: > >> We're definitely seeing dkim replay attacks and of course doing our best to >> catch them. >> > > Out of curiosity, one thing I thought might be a strong sign of a replay > attack is lots of emails with the same b= value in the DKIM-Signature. > > Obviously mass mailings might trigger this as well, but I'm wondering if > that's the case or not. Do most mass mailers/ESPs generate a separate > Message-Id and DKIM signature for each email, or do most just sign once? I > guess mailing lists would cause this to happen as well. Curious what your > statistics are and if it's a worthwhile signal or not.
Almost (?) all legitimate ESPs who are sending bulk marketing mail are tracking clicks and opens. That requires sending personalized content to each recipient, so those will have different body hashes. But smaller scale mailing lists, bulk mail and suchlike often aren't, and will have identical body hashes. Whether they have identical message-ids, header hashes and so on will vary. They're long tail, but it's a very, very long tail. Cheers, Steve _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
