On Tue, Nov 15, 2016 at 11:56:11AM -0600, Scott Kitterman wrote:
Not at all. As I understand the scenario, the provider knows it's
bad, doesn't send the mail on to the outside world, but still gives a
signed copy back to the originator (which is then available for
replay).
My understanding is an attack where the email is sent to an outside
address owned by the sender, who then gets a copy of the email, signed
by the provider who didn't think the email was bad.
Signing an email that you know is bad does indeed sound like a bad
idea.
Martijn.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html