Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Thinking about this more, maybe an alternate technique to provide plausible deniability is to setup a service that acts as a signing oracle with your private key. To avoid it being used for impersonation you might be able to implement a system that receives signing requests via email, and will only sign emails that have the "to" address equal the source of where the signing request came from.


Attack: Sign up for email accounts at major providers, use the signing oracle to sign spam emails, submit to provider, domain's reputation becomes spammy.

The handling rules standardized by DMARC are to ignore failing SPF when there is a valid DKIM signature, even if the domain doesn't use DMARC. Google, in particular, ignored SPF failures on DKIM signed messages last I checked.


Interesting. What if you required payment, say via Monero, for each signature? That would slow down the creation of spam emails.


If you're a low volume email sender, anything attributed to your domain getting marked as spam can cause serious pain. It's an interesting idea, but not an experiment I care to run.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: