DKIM replay attack on Gmail

It’s never happened before, and here it is again…

TLDR: Gmail is subject to a DKIM replay attack on sender domain reputation.

The widely used email service gmail.com tries to protect its users from spam using a variety of techniques. The reputation of the sender’s domain is one of the most important, along with the reputation of the IP address of the sending server. As soon as the reputation of a domain drops to bad, all new emails from the domain’s email addresses start arriving in the “Spam” folder.

Unfortunately, at the moment, the algorithm for calculating the reputation of the Zhomail domain is subject to an attack, which, under certain conditions, is not difficult to carry out:

  1. attacked domain is protected by DKIM and DMARC as recommends Gmail

  2. it is possible to send and receive an email with junk content from any email address of the attacked domain

  3. it is possible to generate significant mail traffic from different IP addresses to gmail.com servers

What is the problem with the domain reputation calculation algorithm:

  • Gmail trusts DMARC, which requires a valid DKIM email signature to validate the sender’s domain in the From header in order to use domain reputation. The result of the SPF check is not taken into account further.

  • Gmail accepts any number of copies of the same email with different recipient addresses in an SMTP session (this is how BCC in email).

  • Gmail considers all received copies as the reputation of the attacked domain

injured in December Protonmail.
If a domain’s reputation in Gmail has plummeted, you can check for an attack at google postmaster – in the “IP Reputation” section there will be a lot of other people’s IP addresses.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *