Replay Abuse Damaging Signature Acceptance:
Company X sends out a newsletter offered by free subscriptions verified
with a double-opt-in process. A similar situation to that of a list-
server or a free email-address provider. Company X signs their
newsletter with the expectation that the signature improves the
acceptance of their messages.
Bad-Actor Y subscribes to newsletter of Company X using a free email-
address obtained from a large Domain Z. Bad-Actor Y receives the
newsletter, and redistributes the newsletter through pirate systems with
the intent of damaging the acceptability of Company X signatures. The
motivation may be extortion, disrupting competition, or a senseless act
of vandalism.
As it happens, Company X makes a separate signature for each recipient
and responds by excluding the email-address used by Bad-Actor Y when
they issue their next newsletter. Domain Z is very large and there are
always new subscriptions from this domain. This time a different email-
address from Domain Z has again redistributed the newsletter. Company X
was warned initially, and now appears on a block-list where the
unintended distribution has made Company X appear to be a spammer.
A reputation service would be unable to respond with "bad" signatures in
a timely fashion to effectively squelch a rapid redistribution. Company
K within the same industry decides Company X is playing unfairly and
that they too should send newsletters anywhere and blame complaints on a
message replay abuse problem, just as Company X has done. Company X is
a good actor, and Company K is a bad actor, but both appear to be
signing messages sent to unsubscribed recipients.
This problem will exit within any free-email domain, a large domain
subjected to compromised systems, and list-servers, in addition to other
scenarios. A conclusion soon likely reached by many recipients will be
that signatures, due to replay abuse effectively removing outbound
constraints, are worthless as a means for basing acceptance. While some
may view DKIM offering value by removing non-conforming messages, even
this mechanism is easily circumvented.
A Low Administrative Solution Insensitive to High Latency:
Just as email domains check lists when deciding to receive a message,
they now also check a list to decide whether to sign, or perhaps even
send a message.
With this paradigm, as a best practice, to ensure Company X that it is
safe for them to send their newsletter, Domain Z replaces the incoming
signature with an MDA specific signature at the edge of their AdmD. An
MDA specific signature can not be used to resend a message, but still
allows users of Domain Z to be assured the message is valid, and the
completed by Domain Z when the message first arrived.
Domains not replacing the incoming signature with an MDA signature are
at risk of either receiving messages unsigned or perhaps not receiving
messages at all once DKIM becomes more widely adopted.
Impact:
"Thin" mediators should not be used as this interferes with assessing
the behavior of the destination and may subject the "Thin" mediator to
being assessed as an abusive destination.
Closed Email-address policies become more problematic when the decision
not to sign may also cause the message to not be accepted. Initially, a
DKIM-Adopters list may help remedy this problem.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org