In <20041121210716(_dot_)BA960590103(_at_)radish(_dot_)jmason(_dot_)org>
jm(_at_)jmason(_dot_)org (Justin Mason) writes:
Tony Finch writes:
Why do you think replay of entire messages is a problem?
Or are you concerned with attacks based on the canonicalization algorithm,
which might allow an attacker to add content to a previous message? [...]
Yes, very important to differentiate the two. The latter is much
more usefully exploitable to spammers and more likely to occur.
Even a straight replay can be a problem. A spammer can sign up for
any number of free email accounts, use those accounts to send email to
another account they have, and *poof* they have a signed message from
AOL/Hotmail/Yahoo/whatever. Now they can spam the world with that
message and it will pass authentication and use the reputation of the
sender to get past filters.
Now, free email providers can do things like automatically terminate
accounts if they receive too many spam complaints, but now people have
a way of getting any email account terminated, just by filing a bunch
of complaints.
I agree that trolling mailing lists for short messages that spammers
can append their ads to is probably going to be a bigger problem, but
I think both kinds of replay problems are going to bite people. :-<
-wayne