In <43DA5981-5166-4AB3-A305-A234D9B284B4(_at_)hxr(_dot_)us> Andrew Newton
<andy(_at_)hxr(_dot_)us> writes:
On Aug 5, 2005, at 9:11 PM, John Levine wrote:
It almost seems that replay can be detected just by monitoring the
number of queries against a user key.
Only if you know in advance how many times a message will legitimately
be delivered
Or if you see that a particular user key is being queries a million
times while most user keys are only queried hundreds of times in a
certain time period, that might be a clue that something is up.
I've heard this line of argument that measuring per-user DKIM lookups
to detect and stop the replay attack before, but I just don't think it
will work.
First off, that implies that the large ISPs, email hosters, or anyone
who can have spammers easily sign up for their services, will need to
do per-user DKIM keys. Elsewhere on this list, I've seen it argued
that per-user keys will be rare. Certainly, if every
yahoo/aol/hotmail/etc user had their own key, the amount of DNS
caching is going to be very significant.
Secondly, you have to do something about the DoS attack on user
accounts of victims by having bad people do lots of queries to
trigger the "this must be spam" detection systems and have victims'
accounts shut down.
And, thirdly, as JohnL points out:
In
<Pine(_dot_)BSI(_dot_)4(_dot_)56(_dot_)0508061021290(_dot_)6932(_at_)tom(_dot_)iecc(_dot_)com>
"John R Levine" <johnl(_at_)iecc(_dot_)com> writes:
No, because it depends on the mental state of "spammer" and
"accomplice". Here's section 9.5 with minor edits to make its
terminology more consistent with other RFCs:
9.5 Replay Attacks
In this attack, a user sends a message to be distributed to a
mailing list, which results in the message being signed by the
originating MTA. The mailing list resends the message, including the
original signature, to a large number of recipients, possibly by
sending the message to many intermediate exploders that act as MTAs.
The messages, not having been modified by the mailing list, have valid
signatures.
Indeed. Spammers have been known to use bob-standard mailing list
software to deliver their spam. It is a little less common now, but
technically, that is all they are doing.
One minor difference between what spammers do now a days and mailing
lists, is that mailing lists tend to send from a much smaller set of
IP addresses than the thousands of zombies that spammers use. I'm not
sure how that difference can be detected for our purposes though, and
I'm not sure that this is a stable difference that we can use.
Back in Jan 2004, when I posted my first thoughts on DK, I mentioned
that Razor/DCC/Pyzor could detect replayed messages, but that means that
in order to make DKIM work, you have to also use another new
protocol. While Razor/DCC/Pyzor try to do their own caching, you are
still basically requiring a per-email call-back to verify whether the
email is bulk. Then you need to do something to decide if the email
is unsolicited, because simply being bulk isn't bad.
Personally, I use both DCC and pyzor on a per-email basis as part of
my spamassassin setup. I don't have any objections to this, and I
think DKIM would be great because the detection rates on DCC/Pyzor
would be very high. However, I've heard a lot of screaming from many
different sources about how how callbacks are unacceptable. YMMV.
-wayne