Only if you know in advance how many times a message will legitimately
be delivered
Or if you see that a particular user key is being queries a million
times while most user keys are only queried hundreds of times in a
certain time period, that might be a clue that something is up.
Right. He might be sending mail to an active mailing list.
Before we can describe a replay defense, the people who are concerned
about replay need to define what replay means, i.e., what's the
technical difference between a replay and a valid delivery. The
definition can't require knowledge of people's mental states.
You don't like the description of replay attacks in Section 9.5 of
DKIM-base?
No, because it depends on the mental state of "spammer" and
"accomplice". Here's section 9.5 with minor edits to make its
terminology more consistent with other RFCs:
9.5 Replay Attacks
In this attack, a user sends a message to be distributed to a
mailing list, which results in the message being signed by the
originating MTA. The mailing list resends the message, including the
original signature, to a large number of recipients, possibly by
sending the message to many intermediate exploders that act as MTAs.
The messages, not having been modified by the mailing list, have valid
signatures.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.