> -----Original Message----- > From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] > On Behalf Of John R. Levine > Sent: Monday, May 23, 2011 9:35 AM > To: Scott Kitterman > Cc: ietf-dkim@mipassoc.org > Subject: Re: [ietf-dkim] 8bit downgrades > > Do you have numbers to show that broken signatures indicate that messages > are malicious, or spam, or otherwise worse than otherwise?
Count of failed signatures compared to spam true/false flag: +----------+------+ | count(*) | spam | +----------+------+ | 120257 | 0 | | 18945 | 1 | (13.6%) +----------+------+ Doesn't look like there's a valid correlation there to me. > For that matter, since we're not talking about ADSP, what do you mean by > an absent signature? Do you track which domains sign what mail? How do > you tell what signature you're expecting? From line domain? Sender? > Message ID? Something in the Received lines? For domains that have at least once signed their own mail with a signature that passed, here's the correlation of message counts from those domains versus whether or not the mail is signed (by that same domain) and whether or not those messages are spam: +----------+------+--------+ | count(*) | spam | signed | +----------+------+--------+ | 230426 | 0 | 0 | | 9925 | 1 | 0 | (4.1% of unsigned mail from domains that sometimes sign) | 1352623 | 0 | 1 | | 95962 | 1 | 1 | (6.5% of signed mail from domains that sometimes sign) +----------+------+--------+ What this tells me is: Ignoring ADSP, if a domain sometimes signs its mail, then mail from it (signed or not) is usually not spam. From this I suspect we could conclude that a missing signature doesn't tell us much of anything. Now of course there are some domains that sign nothing but spam. We could narrow this set down by selecting for signing domains that generally don't sign spam, but I think all that would do is shrink the "spam" rows (i.e. the second and fourth counts) without measurably changing the other two. We could also change "sometimes" to "usually" and see if that matters, but I'm skeptical. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html