Gomes, Rich:
> At the moment, we are not sure how they are doing this.
> It is showing up in RUF data and thus presented in our DMARC portal as "a new
> key was identified"
> We are trying to vet out how that could happen so we can close whatever gap
> is allowing it
RUF reports DMARC failures, presumably because both SPF and DKIM
failed. Anyone can send email with a failing DKIM-Signature: header
that identifies some non-existent public key in DNS (using the DKIM
signature tags 'd=' and 's='). Sending email that fails SPF is even
easier, no header needed.
That does not require tricks such header injection.
> > We are trying to mimic an issue we are having with bad actors
> > inserting fraudulent DKIM keys into a header in an attempt to spoof
> > one of our domains.
There are no keys in DKIM-Signature: headers, only substrings of the DNS
path (the signature tags 'd=' and 's=').
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
