Threat actors bypass DKIM authentication checks with the DKIM replay attack technique. This allows them to attain a copy of a valid email and replay it with additional or replaced From, To, or Subject headers. As the original DKIM signature is valid, the replayed version also passes the DKIM authentication checks. This way, even phishing and spoofing emails land in the recipients’ inboxes instead of spam folders.

You can deal with this new email attack vector using the DKIM over-signing method, which adds an extra layer of security and minimizes the likelihood of a valid signature being exploited for malicious purposes. 

 

Understanding DKIM over-signing

DKIM over-signing is an email security measure in which specific headers are signed multiple times so that no threat actor can alter the content in transit and resend it with new content. This is done by ensuring that From, To, and Subject remain protected and unmodified in transit. The headers are then verified at several points, establishing email integrity and legitimacy. 

We suggest domain owners to use headers like t= and x= to add a time element that prevents the email from being tagged as valid outside its designated validity period. You can set the expiration time from a few hours to a month—this solely relies on the provider. 

 

DKIM over-signing

 

Breakdown of a DKIM replay attack’s process

These are the stages in a standard DKIM replay attack-

 

DKIM signature leniency

The domain that signs the outgoing message can differ from the ‘From’ domain in the header. So, if an email claims to be from a specific domain in the ‘From’ header, the DKIM signature can be linked to a different domain.

 

Verification

When an email server receives an email with a DKIM signature, it checks to ensure the email hasn’t been altered since being sent. If the signature is valid, it confirms the email is authentic and untampered with.

 

Exploitation

This is the main stage of the replay attack, as the hacker takes over or hacks into a mailbox, exploiting the domain’s good reputation to their advantage. These domains win the trust of recipients’ mailboxes and hence don’t raise suspicion, easily bypassing all email security filters. 

 

Sending the initial message

The adversary sends the first email from the exploited domain to a mailbox they control. This email is harmless.

 

DKIM replay attack

 

Re-broadcasting

Now, the attacker can re-send the recorded email to a different group of recipients, often not intended by the original sender. Since the email retains its DKIM signature from the high-reputation domain, email servers are likelier to trust it, believing it’s legitimate and bypassing authentication filters.

 

Preventing DKIM replay attacks

 

Oversigning headers

Sign key headers like Date, Subject, From, To, and CC to prevent tampering by malicious actors.

 

Setting short expiration times (x=)

Use short expiration times to reduce the chance of replay attacks. Due to their higher vulnerability, new domains should have even shorter expiration times.

 

Employing timestamps (t=) and nonces

To prevent replay attacks, include timestamps and random numbers (nonces) in email headers or body, as these values change with each email.

 

email authentication

 

Rotating DKIM keys periodically

Regularly rotate DKIM keys and update DNS records to limit the risk of key compromise and replay attacks.

 

How do you know if you are being attacked?

DKIM replay attacks are primarily targeting Gmail, likely because Google’s spam filtering relies heavily on domain reputation. This makes it an attractive target for manipulation by malicious actors. Other email providers, with less domain-focused filtering, may not be as vulnerable to these specific attacks.

 

domain reputation

 

Detecting an attack can be challenging due to the subtle signs of abuse. One effective method is to monitor Google Postmaster Tools for the following indicators:

The extent of the reputation drop depends on the volume of replay spam being distributed.

Pin It on Pinterest

Share This