Re: [Assp-test] DKIM spam
Hi Peter, Thanks for the email, configuring it that way makes far more sense than turning it off. Last week was rather busy so I didn't give it the thought it deserved past turning it off. I've ended up doing the same for SPF because we've been getting a fair amount of that through as well. All the best, Colin Waring. -Original Message- From: Peter Hinman [mailto:peter.hin...@myib.com] Sent: 19 March 2014 16:30 To: assp-test@lists.sourceforge.net Subject: Re: [Assp-test] DKIM spam I don't give much value to a DKIM pass, but I do score on a DKIM fail. DKIM still has it's place as a way to identify fraudulent use of a domain. There isn't much that can be done about hacked domains :( Peter Hinman International Bridge / ParcelPool.com On 3/14/2014 8:49 AM, Colin Waring wrote: > Thanks for the reply, it is however somewhat off the mark. > > These messages don't come from authenticated sources or even trusted > sources > - they are simply remote mail servers that have a valid DKIM record > thus causing them to score below the threshold. > > It me, it looks like a smart spammer/botnet that is using throwaway > domains with DKIM records set up. The problem is that anyone can set > up DKIM, though up until now spammers haven't bothered going to the > extra effort of doing so. If spammers are now deploying DKIM for their > messages then DKIM can no long be relied on as an indicator of spam/ham. > > This is why I asked if anyone else was seeing the same increase in > DKIM signed spam. > > All the best, > Colin Waring. > > -Original Message- > From: Grayhat [mailto:gray...@gmx.net] > Sent: 14 March 2014 14:18 > To: assp-test@lists.sourceforge.net > Subject: Re: [Assp-test] DKIM spam > > :: On Fri, 14 Mar 2014 13:51:37 - > :: > > :: "Colin Waring" wrote: > >> I was wondering if anyone else was seeing an increase in spam >> messages that come with a valid DKIM signature? It has gotten to the >> point where I have had to set DoDKIM to disabled because so much >> rubbish is coming through and I can't think of many circumstances >> where DKIM is actually used extensively. > I don't think it's a DKIM issue (or an SPF one or whatever); see, the > number of bots trying to bruteforce credentials (either over SMTP or > POP3/IMAP) dramatically raised (and I'm not counting the malware which > steals them from victim's machines) and once those credentials are > upped to some botnet controller, the bots will just start pumping a > lot of junk through a server using the stolen credentials and DKIM or > SPF won't be able to do much; bottom line, ensure to check for bounces > and keep an eye on your servers; as for bounces; if someone here is > running on win and using the IIS SMTP as the outbound mail router, it > may (will !) be a good idea to configure it to also send a copy of NDR > emails to some mailbox you manage (say ndr...@example.com) so that > you'll be able to see the bounces and take action (ok, this is a raw > and straight approach but as a first step it's better than nothing) > > > > -- > -- > -- > Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" > is the definitive new guide to graph databases and their applications. > Written by three acclaimed leaders in the field, this first edition is now available. > Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > -- > Learn Graph Databases - Download FREE O'Reilly Book "Graph > Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, this > first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test -- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Assp
Re: [Assp-test] DKIM spam
I don't give much value to a DKIM pass, but I do score on a DKIM fail. DKIM still has it's place as a way to identify fraudulent use of a domain. There isn't much that can be done about hacked domains :( Peter Hinman International Bridge / ParcelPool.com On 3/14/2014 8:49 AM, Colin Waring wrote: > Thanks for the reply, it is however somewhat off the mark. > > These messages don't come from authenticated sources or even trusted sources > - they are simply remote mail servers that have a valid DKIM record thus > causing them to score below the threshold. > > It me, it looks like a smart spammer/botnet that is using throwaway domains > with DKIM records set up. The problem is that anyone can set up DKIM, though > up until now spammers haven't bothered going to the extra effort of doing > so. If spammers are now deploying DKIM for their messages then DKIM can no > long be relied on as an indicator of spam/ham. > > This is why I asked if anyone else was seeing the same increase in DKIM > signed spam. > > All the best, > Colin Waring. > > -Original Message- > From: Grayhat [mailto:gray...@gmx.net] > Sent: 14 March 2014 14:18 > To: assp-test@lists.sourceforge.net > Subject: Re: [Assp-test] DKIM spam > > :: On Fri, 14 Mar 2014 13:51:37 - > :: > :: "Colin Waring" wrote: > >> I was wondering if anyone else was seeing an increase in spam messages >> that come with a valid DKIM signature? It has gotten to the point >> where I have had to set DoDKIM to disabled because so much rubbish is >> coming through and I can't think of many circumstances where DKIM is >> actually used extensively. > I don't think it's a DKIM issue (or an SPF one or whatever); see, the number > of bots trying to bruteforce credentials (either over SMTP or > POP3/IMAP) dramatically raised (and I'm not counting the malware which > steals them from victim's machines) and once those credentials are upped to > some botnet controller, the bots will just start pumping a lot of junk > through a server using the stolen credentials and DKIM or SPF won't be able > to do much; bottom line, ensure to check for bounces and keep an eye on your > servers; as for bounces; if someone here is running on win and using the IIS > SMTP as the outbound mail router, it may (will !) be a good idea to > configure it to also send a copy of NDR emails to some mailbox you manage > (say ndr...@example.com) so that you'll be able to see the bounces and take > action (ok, this is a raw and straight approach but as a first step it's > better than nothing) > > > > > -- > Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the > definitive new guide to graph databases and their applications. Written by > three acclaimed leaders in the field, this first edition is now available. > Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > -- > Learn Graph Databases - Download FREE O'Reilly Book > "Graph Databases" is the definitive new guide to graph databases and their > applications. Written by three acclaimed leaders in the field, > this first edition is now available. Download your free book today! > http://p.sf.net/sfu/13534_NeoTech > ___ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test -- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] DKIM spam
Thanks for the reply, it is however somewhat off the mark. These messages don't come from authenticated sources or even trusted sources - they are simply remote mail servers that have a valid DKIM record thus causing them to score below the threshold. It me, it looks like a smart spammer/botnet that is using throwaway domains with DKIM records set up. The problem is that anyone can set up DKIM, though up until now spammers haven't bothered going to the extra effort of doing so. If spammers are now deploying DKIM for their messages then DKIM can no long be relied on as an indicator of spam/ham. This is why I asked if anyone else was seeing the same increase in DKIM signed spam. All the best, Colin Waring. -Original Message- From: Grayhat [mailto:gray...@gmx.net] Sent: 14 March 2014 14:18 To: assp-test@lists.sourceforge.net Subject: Re: [Assp-test] DKIM spam :: On Fri, 14 Mar 2014 13:51:37 - :: :: "Colin Waring" wrote: > I was wondering if anyone else was seeing an increase in spam messages > that come with a valid DKIM signature? It has gotten to the point > where I have had to set DoDKIM to disabled because so much rubbish is > coming through and I can't think of many circumstances where DKIM is > actually used extensively. I don't think it's a DKIM issue (or an SPF one or whatever); see, the number of bots trying to bruteforce credentials (either over SMTP or POP3/IMAP) dramatically raised (and I'm not counting the malware which steals them from victim's machines) and once those credentials are upped to some botnet controller, the bots will just start pumping a lot of junk through a server using the stolen credentials and DKIM or SPF won't be able to do much; bottom line, ensure to check for bounces and keep an eye on your servers; as for bounces; if someone here is running on win and using the IIS SMTP as the outbound mail router, it may (will !) be a good idea to configure it to also send a copy of NDR emails to some mailbox you manage (say ndr...@example.com) so that you'll be able to see the bounces and take action (ok, this is a raw and straight approach but as a first step it's better than nothing) -- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test -- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
Re: [Assp-test] DKIM spam
:: On Fri, 14 Mar 2014 13:51:37 - :: :: "Colin Waring" wrote: > I was wondering if anyone else was seeing an increase in spam > messages that come with a valid DKIM signature? It has gotten to the > point where I have had to set DoDKIM to disabled because so much > rubbish is coming through and I can't think of many circumstances > where DKIM is actually used extensively. I don't think it's a DKIM issue (or an SPF one or whatever); see, the number of bots trying to bruteforce credentials (either over SMTP or POP3/IMAP) dramatically raised (and I'm not counting the malware which steals them from victim's machines) and once those credentials are upped to some botnet controller, the bots will just start pumping a lot of junk through a server using the stolen credentials and DKIM or SPF won't be able to do much; bottom line, ensure to check for bounces and keep an eye on your servers; as for bounces; if someone here is running on win and using the IIS SMTP as the outbound mail router, it may (will !) be a good idea to configure it to also send a copy of NDR emails to some mailbox you manage (say ndr...@example.com) so that you'll be able to see the bounces and take action (ok, this is a raw and straight approach but as a first step it's better than nothing) -- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
[Assp-test] DKIM spam
Hi there, I was wondering if anyone else was seeing an increase in spam messages that come with a valid DKIM signature? It has gotten to the point where I have had to set DoDKIM to disabled because so much rubbish is coming through and I can't think of many circumstances where DKIM is actually used extensively. All the best, Colin Waring. -- Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/13534_NeoTech ___ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test