--- Begin Message ---
Hi. I would like to make it very clear that this message is an
individual technical contribution and I'm not speaking as an AD.
MIME-Version: 1.0
I'd like to make sure the issue of replays is covered at the BOF and
is something the IETF community considers carefully before approving a
charter for this working group. I understand this mailing list has
come to accept replays as a cost of DKIM, but I believe that the IETF
as a whole needs to consider that issue. To be clear, I'm asking for
discussion, not saying I believe DKIM is a bad idea. I'm fine with an
informed consensus to proceed.
I'd like to remind the list of section 9.5 of the DKIM base draft.
9.5 Replay Attacks
In this attack, a spammer sends a message to be spammed to an
accomplice, which results in the message being signed by the
originating MTA. The accomplice resends the message,
including the
original signature, to a large number of recipients, possibly
by
sending the message to many compromised machines that act as
MTAs.
The messages, not having been modified by the accomplice,
have valid
signatures.
Partial solutions to this problem involve the use of
reputation
services to convey the fact that the specific email
address is being
used for spam, and that messages from that signer are
likely to be
spam. This requires a real-time detection mechanism in
order to
react quickly enough. However, such measures might be
prone to
abuse, if for example an attacker resent a large number
of messages
received from a victim in order to make them appear to
be a spammer.
I'd like to ask us to think particularly about the impact of this
attack on business models of medium sized ISPs. Fundamentally few
people are going to block all mail from AOL,, Yahoo, Gmail or the
like. However smaller ISPs have been subjected to a wide variety of
problems with various blackhole lists. Sometimes this was because
they were doing something wrong, sometimes the blackhole lists were
doing something wrong. There's a lot of debate about where the right
balance is that I would like to avoid.
However there is a similar issue with DKIM. It's not clear what
policies a medium sized ISP could adopt to avoid being subject to such
an attack. It's not clear how you could maintain a reputation while
still defaulting to providing service to anyone who wants an account.
Do we care? Is this acceptable to the operations communities?
--- End Message ---