IETF Logo Mail Archive

Re: [Ietf-dkim] DKIM Replay Problem Statement and Scenarios -01 draft posted

Michael Thomas <mike@mtcc.com> Mon, 20 February 2023 19:13 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: ietf-dkim@ietfa.amsl.com
Delivered-To: ietf-dkim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E91DC14F721 for <ietf-dkim@ietfa.amsl.com>; Mon, 20 Feb 2023 11:13:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.746
X-Spam-Level:
X-Spam-Status: No, score=-1.746 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mtcc.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8HpIa0ZUdH-K for <ietf-dkim@ietfa.amsl.com>; Mon, 20 Feb 2023 11:13:10 -0800 (PST)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9144FC14F724 for <ietf-dkim@ietf.org>; Mon, 20 Feb 2023 11:13:10 -0800 (PST)
Received: by mail-pl1-x62e.google.com with SMTP id t14so2893717plo.2 for <ietf-dkim@ietf.org>; Mon, 20 Feb 2023 11:13:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mtcc.com; s=fluffulence; h=in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=z7uABUdhRkeQSFV7IUJT2eIEJDvcuSuaLubaZSsI3D4=; b=DEOccRiuCNKSjlraE68xDclHOJEQx7C1h/lmLlvOCQYNYJA4ejETjFvcn3406lTu3c W1qZdcHnLXQOzm+YM3kBlZ+STBs9Pq4/LMaNN11HBfymrUiyZX2bcHZa1eYyJ1SbBX4D IEe/D1HkdNjK3E8UWU2n780WrnFu/jMzBZ9OMTcIeTZjsbczqbF9HL3He5ELzc2BVIug JDQr5bRIV7Eyfp1lQnCpjoxFzYqb+b7pJ7p+PCLnXvrbcHwMH6VGueAQcmtL9MpWPz8l D72OwfxrvOjUpL3Osa6bOeNIb8Lz3tAi+jIuznMHftojjg2c/BV7t3S44u2muyTWB9a+ 4S8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=in-reply-to:from:references:cc:to:content-language:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=z7uABUdhRkeQSFV7IUJT2eIEJDvcuSuaLubaZSsI3D4=; b=iyTbZ9PWRl6v5Xem+iOIG1xvZLs6XXq92c4RgD0N8xzm3P3d3w1t66pJCWnGqpeyk+ ZHr+NUZCMToOmDtVl1E6u8STpdAUynBsluIQlqu+RJ5YHaDRJMkRC/OVNB5lEv1JRf2d 8beG0vQjS6iDre1DjqUeEpxmYvbTzyv7jZUwnuewQrko++s1e0hfUYare3xrDNxWSOsT KHEStDSlI4ztt/4BiybiO7LnQzIrddXpHXhi3wDl5e/wcOtUqvDf1JzJmxcWXUNxOj8S GtSZkl8cRI+fUMDRRV9DKt+dC51NCpIyv3v7lJw9t2hou2j/xQI03wBZKD+LHax7I206 dy3A==
X-Gm-Message-State: AO0yUKUwcLQNeCWUpfRN6wEvQlMPweit8IxhtvzsSei3+OV+e7ioiai7 BZ7LWRu1KtrA3jW+93GQlA6/PDSmLfEB80k6
X-Google-Smtp-Source: AK7set9jp/ghK3y5yFh90BnfETg8dfj5TTag37AN7KAxkxHZDdzvcspGJJTxa3i/7u1iA9ST/c3uwg==
X-Received: by 2002:a17:903:2345:b0:196:3feb:1f1e with SMTP id c5-20020a170903234500b001963feb1f1emr4405991plh.47.1676920389550; Mon, 20 Feb 2023 11:13:09 -0800 (PST)
Received: from [192.168.1.201] ([206.107.197.220]) by smtp.gmail.com with ESMTPSA id t6-20020a1709027fc600b0019719f752c5sm8270002plb.59.2023.02.20.11.13.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 20 Feb 2023 11:13:09 -0800 (PST)
Content-Type: multipart/alternative; boundary="------------wfatnwxdsev7JqKROLifGAAP"
Message-ID: <a0884d18-d97b-785c-de6e-75ede545a900@mtcc.com>
Date: Mon, 20 Feb 2023 11:13:08 -0800
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.6.1
Content-Language: en-US
To: Evan Burke <evan.burke@mailchimp.com>
Cc: ietf-dkim@ietf.org
References: <CAAFsWK3B7OfcRFwayzM=nZ1TuHoK93vFSTfBd73mGEvq1Ti+fg@mail.gmail.com> <CAL0qLwbHeNRMVYbOdA0ESW6p6mL2iKXtGbfCUWK6do-Wmqttsw@mail.gmail.com> <CAJEmK9KEfr3Q5+99VmMFV5vpj=rkJgMy5mxv4qzoBrNj2tuy9A@mail.gmail.com> <CAL0qLwaLfxEt5sSkQNzMUUrmGVP673QZ61rNcEPnF1mHMB5z+Q@mail.gmail.com> <CAJEmK9+tHHgj75JVjwJtG7wrzgPJLqE6UL5ZMAAzZ==OFkMq_Q@mail.gmail.com> <CCF0A6DC-7206-4FAE-8F25-1BC023A1D580@kitterman.com> <CAJEmK9JKjH3Lb8XzPvzZczBs10bP6+wXA7dW29r_j+-E_g5c-w@mail.gmail.com> <CALaySJJp974waiZ5Ayd6ZjEiUPjbsdu_jVO-i7UOJj5w5fSFpw@mail.gmail.com> <878c29dc-38ec-11c6-1c61-782450c7ed3f@mtcc.com> <002F325D-2969-4F4E-9348-3FEDF3E7C3F9@kitterman.com> <CALaySJLO4k2U3HxThL1v=CscH-12ttU_CNYH2JH5yWdRWUbpvw@mail.gmail.com> <CAL0qLwYXhfKy9X-1Ke8e3uK+egYUMgU+BUJznimKWW06z6O-Sg@mail.gmail.com> <28F0A2F4-0424-4F39-B683-9626E6DFD9FF@kitterman.com> <a1ea4e3f-42c2-5511-3564-4f577a3755b7@mtcc.com> <CAJEmK9KAd6SR9gK3Rkc3OyQP_ovD6-qD7L4kUo5CFc1h0r5a3g@mail.gmail.com>
From: Michael Thomas <mike@mtcc.com>
In-Reply-To: <CAJEmK9KAd6SR9gK3Rkc3OyQP_ovD6-qD7L4kUo5CFc1h0r5a3g@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-dkim/qlsLOF5vj89KNYEhRs_rlZ9kjME>
Subject: Re: [Ietf-dkim] DKIM Replay Problem Statement and Scenarios -01 draft posted
X-BeenThere: ietf-dkim@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DKIM List <ietf-dkim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-dkim/>
List-Post: <mailto:ietf-dkim@ietf.org>
List-Help: <mailto:ietf-dkim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-dkim>, <mailto:ietf-dkim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Feb 2023 19:13:14 -0000

On 2/17/23 4:51 PM, Evan Burke wrote:
>
>
> On Fri, Feb 17, 2023 at 9:49 AM Michael Thomas <mike@mtcc.com> wrote:
>
>
>     Which brings up another question which is applicable to the problem
>     statement: are mailbox providers like gmail, hotmail, etc getting
>     abused
>     from these replays? Some spam from whoknows@hotmail.com doesn't seem
>     like a very good address from arriving spam. For that matter, do bulk
>     senders even allow their domain to be the From domain? It seems
>     like a
>     pretty easy way to not affect their reputation is to require that the
>     mail be sent in the name of somebody else's domain.
>
>
> There's a good amount of bulk mail sent with d= that doesn't match the 
> visible From domain. Those signatures are typically used for DKIM 
> based complaint feedback loops, and because they grant reputation to 
> "mom&pop" non-technical customers who either don't own a domain or 
> haven't set up DKIM yet.  That DKIM d= domain has reputation on its 
> own, independent from the visible From domain reputation.

That's a good point about just signing it with your own domain's key. 
I've been looking at some of my marketing mail and it looks like that's 
relatively common.

Seems like a tradeoff of ease of deployment vs. being a mark for 
spammers. Of course mom and pop's domain will likely have little 
reputation, but some of the mail I looked at were plenty big enough to 
develop their own reputation. This is of course mostly a business domain 
problem which this wg can't really say much about.

>
> While I'm sure some replay spam is sent where there is a match between 
> these two domains, it's entirely possible that attackers tend to 
> prefer unaligned signatures, because that prevents the replay spam 
> from showing on DMARC reporting for the d= domain being replayed.

Which, of course, you are free to say no to that.

Mike

v2.23.0 | Report a Bug | By Email