Hi Wietse,
Thanks a lot for your comments!
This looks like a standard replay attack. Such technique can't be
used to send SPAM on behalf of domains that don't sign SPAM (e.g.,
porcupine.org). If a domain is willing to sign SPAM, then they
deserve that all their messages are handled with great prejudice.
Yes, I agree. It can't be used to send SPAM on behalf of domains that
don't sign SPAM.
But if it signs SPAM unknowingly (which may happen in large ISPs --
where few mails get slipped through spam checks), then it creates a
potential loop whole that lots of duplicate SPAM mails can arise out
of it. A spammer can specifically target/exploit this behavior. It
creates the vulnerability of sending SPAM mails with DKIM signed on
behalf of the same domain -- even *without* the knowledge of that
domain by sending through some other spammy domains or botnets!
Is there any reason, why we didn't take any possible action/solution
to this issue? If the solution is simple (like the one I mentioned in
my previous mail -- adding outbound MTA's IP or Network to signature),
we could easily make DKIM resilient enough to such attacks and loop
wholes? Please advise.
Thanks,
Thiyaga
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html