Is someone hijacking your good reputation to send millions of spam or malicious messages?
Email senders have a new security concern: a protocol intended to provide sender authentication and thwart spam has inadvertently opened a back door that allows spammers to hijack a legitimate sender’s good reputation and send millions of unwanted email messages.
It’s called a DKIM replay attack, and it uses DomainKeys Identified Mail, an email authentication method that uses a digital signature to tell an inbound email server a message was authorized by the domain owner, to evade spam filters.
During the webinar, Understanding DKIM Replay Attacks: A must for email senders, organized by the Certified Senders Alliance (CSA), email security experts including Fredrik Poller of Halon, Al Iverson of Spam Resource and Sebastian Kluth of the CSA said they expect it to become a serious problem for email senders as authentication efforts shift from IP reputation to domain reputation.
While you might not have heard of DKIM replay attacks, 32% of the webinar’s attendees said they had already been victims.
“Spammers don’t have good reputations, so they hijack someone else’s good reputation by tricking that sender like an ESP, a mailbox provider, or a brand into sending a DKIM-signed email using their good reputation,” Fredrik said.
A spammer might exploit this by copying an entire email, including its headers with the DKIM signature, and then resend it from their own mailing platform. As a result, the receiving email servers, seeing the intact signature, would identify the message as authentic and allow it to pass through their security checks.
‘Although these messages might fail another protocol called Sender Policy Framework (SPF), that might not prevent many of those spam emails from getting through inbound email spam filters’, said Al Iverson of Spam Resource.
Brands that send millions of messages every day could be candidates for getting abused and having their online reputation damaged. They might not be able to stop malicious senders from trying to hijack their good reputations, but they can make the process more difficult by taking steps such as:
1. Setting an expiration date on DKIM signatures to limit the window where a replay attack can be performed
2. Making sure DKIM has been set up properly on their outbound servers, including oversigning
3. Avoid signing with their own domain when possible - white-label and use the customer's domain
4. Eliminate free bulk email sending as part of ESP demonstrations
5. Ensure that a good routine is in place to rotate DKIM keys when a DKIM replay happens
6. Re-sign any email that soft-bounces before trying to send it again to allow for even shorter expiry times
For more details on DKIM replay attacks, watch the full recording here or read our other blog post about DKIM replay attacks here. If you have any questions, Halon is here to help! Simply contact us and one of our email experts will be in touch.