On 9/2/10 11:23 AM, Rolf E. Sonneveld wrote:
On 09/02/2010 07:42 PM, Murray S. Kucherawy wrote:
On Thursday, September 02, 2010 10:35 AM Alessandro Vesely wrote:
However, the other issue is to break or remove author domain
signatures. John has pointed this out since a long time, for FBL
reasons. Doug has brought out the same issue for replaying attacks
aimed at breaking reputation, because replaying is definitely out of
control in case of publicly distributed messages.
What's the danger of replaying legitimate mail, other than to cause volume
detection alarms to go off?
I think Doug was not talking about replaying legitimate mail but illegit
mail. I believe Doug described this scenario in one of his previous
messages either on domainrep or here on this list (Doug, excuse me if
this summary lacks the nuances):
Someone sends a spam-type message from a large ESP to a mailbox he owns,
somewhere on the Internet. The message is DKIM signed by the ESP. The
spammer then takes the entire message including complete headers, and
replays it using different envelope To: addresses and (optionally)
different envelope From addresses. A verifier find the signature to be
valid and at the end of the day this type of replay will impact the
reputation of the ESP.
You're close. Bad-actors can't use different From header fields,
because this field MUST be signed. Also, they'll likely have a
collection of messages to send en masse within a short period before
exploiting different accounts. To defend against this problem, ESP
could utilize one of their subdomains to sign their messages, and assert
ADSP dkim=tpa-path for their domains used to exchange email.
For those that implement ADSP, they would see less spam, and the
TPA-Label would also allow providers a means to stipulate which sources
they authorize to replay their message. In addition, the TPA-Label also
stipulates how SMTP clients are to be authenticated prior to acceptance,
to make this easier for recipients. This should also offer ESPs a level
of protection from lax reputation services that fail to authenticate the
domains being assessed.
NOTE WELL: This list operates according to