On Sun, 2005-08-07 at 18:02 -0700, Michael Thomas wrote:
I don't see how filtering their outbound will help much in preventing
the reply attack.
It doesn't prevent it, it just makes it less likely to be
a viable vector: if 99% of your spam campaign is not leaving
the outbound ISP, my guess is that you're going to look for
other distribution mechanisms. We're already seeing a shift
on that anyway, right? With zombies, right?
The spam campaign may be messages signed by your domain sent from
various places. The spam campaign would most likely avoid repeating any
spam from the signing domain to avoid being detected. The spammer would
just be sending single messages to themselves. They would already have
other distribution methods looking to capitalize on your signature's
I really like the formulation I heard here: a lot of the
utility of signing is in just getting spammers and other
miscreants to attack somebody else instead of me. Eventually
we may be able to close the noose, but until then I'd just
assume at least they not sully my name.
A replay attack will sully the domain name. This will remain a problem
for large domains. Make a convincing case for the use of DKIM where the
From or the Sender headers are not bound to the signature. I would
expect the majority of email will be sent in this manner by major
providers. For DKIM to provide a suitable solution for the general
case, it would need to consider dealing with the replay attack, and DoS
defenses based upon domain name acceptance criteria.
ietf-dkim mailing list