IETF Logo Mail Archive

Re: [Ietf-dkim] DKIM Replay Problem Statement and Scenarios -01 draft posted

Alessandro Vesely <vesely@tana.it> Wed, 15 February 2023 10:23 UTC

Return-Path: <vesely@tana.it>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19D9AC151533 for <ietf-dkim@ietfa.amsl.com>; Wed, 15 Feb 2023 02:23:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="UkijulxU"; dkim=pass (1152-bit key) header.d=tana.it header.b="Cdas/LEb"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rtsi1CRmSu6Z for <ietf-dkim@ietfa.amsl.com>; Wed, 15 Feb 2023 02:23:45 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E331C14CE3F for <ietf-dkim@ietf.org>; Wed, 15 Feb 2023 02:23:42 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1676456615; bh=pMzSGfhGqWWNslb+qduXwG86fEFbz5ZOdQYdIdpx98I=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=UkijulxUjaJE7wylGNv4oHePm3TCJgKYLip976ddnXquqKEZd7HlV5EHV77YInFt+ 7W24WjS++6oh9L6RhFlCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1676456615; bh=pMzSGfhGqWWNslb+qduXwG86fEFbz5ZOdQYdIdpx98I=; h=Date:Subject:To:References:From:In-Reply-To; b=Cdas/LEbRGLNAGgmh/tXQAr2bVHh07btIfCafqA3uRdUYdxvX389CHhJywyaDDJD0 IGGJSzlgeWyQtL50BCjksg1ehN7s50E4puBlmEtMRC9qNMVYkHTjeNPSGBKZuoJfME w1oDewFRWBw9s1oXHcNEUoTN9qsoAM1jcyjC/Oma7QdVYDVcI/VqnQpGxmR/4
Original-Subject: Re: [Ietf-dkim] DKIM Replay Problem Statement and Scenarios -01 draft posted
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC028.0000000063ECB2A7.000025A9; Wed, 15 Feb 2023 11:23:35 +0100
Message-ID: <ee7398b2-aa9a-6a48-d746-d80bec804fd0@tana.it>
Date: Wed, 15 Feb 2023 11:23:34 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0
Content-Language: en-US, it-IT
To: ietf-dkim@ietf.org
References: <CAAFsWK3B7OfcRFwayzM=nZ1TuHoK93vFSTfBd73mGEvq1Ti+fg@mail.gmail.com> <baf95652-cd2e-68a4-2889-246cfe6ff65b@mtcc.com> <CAJEmK9LPXCFnjgiF=Oh-BTo6qLjo-OGB9EAQw7ZfwKYShR721A@mail.gmail.com> <3176719.QUIsX6EK59@localhost>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <3176719.QUIsX6EK59@localhost>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/cH8o0MQOtU07qy_17LafpS8uyUo>
Subject: Re: [Ietf-dkim] DKIM Replay Problem Statement and Scenarios -01 draft posted
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Feb 2023 10:23:52 -0000

On Tue 14/Feb/2023 23:42:36 +0100 Scott Kitterman wrote:
> On Tuesday, February 14, 2023 4:16:00 PM EST Evan Burke wrote:
>> On Tue, Feb 14, 2023 at 11:44 AM Michael Thomas <mike@mtcc.com> wrote:
>>> On Tue, Feb 14, 2023 at 11:18 AM Michael Thomas <mike@mtcc.com> wrote:
>>>> Have you considered something like rate limiting on the receiver side for 
>>>> things with duplicate msg-id's? Aka, a tar pit, iirc?
>>
>> I believe Yahoo does currently use some sort of count-based approach to 
>> detect replay, though I'm not clear on the details.
>>
>>>> As I recall that technique is sometimes not suggested because (a) we can't 
>>>> come up with good advice about how long you need to cache message IDs to 
>>>> watch for duplicates, and (b) the longer that cache needs to live, the 
>>>> larger of a resource burden the technique imposes, and small operators 
>>>> might not be able to do it well.
>>>
>>> At maximum, isn't it just the x= value? It seems to me that if you don't 
>>> specify an x= value, or it's essentially infinite, they are saying they 
>>> don't care about "replays". Which is fine in most cases and you can just 
>>> ignore it. Something that really throttles down x= should be a tractable 
>>> problem, right?


The ration between duplicate count and x= is the spamming speed.


>>> But even at scale it seems like a pretty small database in comparison to 
>>> the overall volume. It's would be easy for a receiver to just prune it 
>>> after a day or so, say.
>>
>> I think count-based approaches can be made even simpler than that, in fact. 
>> I'm halfway inclined to submit a draft using that approach, as time permits.
>
> I suppose if the thresholds are high enough, it won't hit much in the way of 
> legitimate mail (as an example, I anticipate this message will hit at least 
> hundreds of mail boxes at Gmail, but not millions), but of course letting the 
> first X through isn't ideal.


Scott's message hit my server exactly once.  Counting is a no-op for small 
operators.


> If I had access to a database of numerically scored IP reputation values (I 
> don't currently, but I have in the past, so I can imagine this at least), I 
> think I'd be more inclined to look at the reputation of the domain as a whole 
> (something like average score of messages from an SPF validated Mail From, 
> DKIM validated d=, or DMARC pass domain) and the reputation of the IP for a 
> message from that domain and then if there was sufficient statistical confidence 
> that the reputation of the IP was "bad" compared to the domain's reputation I 
> would infer it was likely being replayed and ignore the signature.


Some random forwarder in Nebraska can be easily mistaken for a spammer that 
way.  Reputation is affected by email volume.  Even large operators have little 
knowledge of almost silent MTAs.

Having senders' signatures transmit the perceived risk of an author would 
contribute an additional evaluation factor here.  Rather than discard validated 
signatures, have an indication to weight them.  (In that respect, let me note 
the usage of ARC as a sort of second class DKIM, when the signer knows nothing 
about the author.)


> I think that approaches the same effect as a "too many dupes" approach without 
> the threshold problem.  It does require reputation data, but I assume any 
> entity of a non-trivial size either has access to their own or can buy it from 
> someone else.


DNSWLs exist.


Best
Ale
--

v2.23.0 | Report a Bug | By Email