Re: Replay attacks and ISP business models

["John R Levine" <johnl@xxxxxxxx>]

> > Only if you know in advance how many times a message will legitimately
> > be delivered
>
> Or if you see that a particular user key is being queries a million
> times while most user keys are only queried hundreds of times in a
> certain time period, that might be a clue that something is up.

Right.  He might be sending mail to an active mailing list.

> > Before we can describe a replay defense, the people who are concerned
> > about replay need to define what replay means, i.e., what's the
> > technical difference between a replay and a valid delivery.  The
> > definition can't require knowledge of people's mental states.
>
> You don't like the description of replay attacks in Section 9.5 of
> DKIM-base?

No, because it depends on the mental state of "spammer" and
"accomplice".  Here's section 9.5 with minor edits to make its
terminology more consistent with other RFCs:

9.5  Replay Attacks

   In this attack, a user sends a message to be distributed to a
   mailing list, which results in the message being signed by the
   originating MTA.  The mailing list resends the message, including the
   original signature, to a large number of recipients, possibly by
   sending the message to many intermediate exploders that act as MTAs.
   The messages, not having been modified by the mailing list, have valid
   signatures.



Regards,
John Levine, johnl@xxxxxxxx, Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.