DKIM reputation, was Re: Spammers answering TMDA Queries
On Mon, 8 Oct 2007, Keith Moore wrote: It's a combination of several things - one, requiring that a domain operate its own mail submission servers which sign their mail (and all that that implies, like maintaining the private keys). That's just part of running a mail system. Two, many domains will be too small to develop enough of a reputation to be whitelisted, and any spammer can create a temporary domain which will have about as good a reputation as the vast majority of those domains. Free domain tasting is a problem that affects lots of reputation system, not just ones based on DKIM. If ICANN were to eliminate it lots of things would become easier. Also, at the moment negative reputation is more useful (or at least easier to use) than positive reputation so I don't see neutral reputation as a bad thing (er, by definition it isn't). Three, as long as people use Windows boxes, spammers will be able to compromise them and hijack them to use them to originate mail on behalf of their domains, thus degrading those domains' reputation. The criminals can steal infected users' online banking credentials too, which is far more worrying. Everyone has to keep their networks clean for many reasons, not just spam. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ IRISH SEA: SOUTHERLY, BACKING NORTHEASTERLY FOR A TIME, 3 OR 4. SLIGHT OR MODERATE. SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: DKIM reputation, was Re: Spammers answering TMDA Queries
Tony Finch wrote: On Mon, 8 Oct 2007, Keith Moore wrote: It's a combination of several things - one, requiring that a domain operate its own mail submission servers which sign their mail (and all that that implies, like maintaining the private keys). That's just part of running a mail system. yes, but it's not inherently part of running a mail domain. it's unreasonable to require everyone to use mail submission servers that are entrusted with their domain's DKIM private keys. Two, many domains will be too small to develop enough of a reputation to be whitelisted, and any spammer can create a temporary domain which will have about as good a reputation as the vast majority of those domains. Free domain tasting is a problem that affects lots of reputation system, not just ones based on DKIM. If ICANN were to eliminate it lots of things would become easier. it's a problem even without free domain tasting. Also, at the moment negative reputation is more useful (or at least easier to use) than positive reputation so I don't see neutral reputation as a bad thing (er, by definition it isn't). negative reputation of a domain is of minimal value, because spammers will just get a new domain (or several) every time they wish to spam, and the new domains will have neutral reputation. Three, as long as people use Windows boxes, spammers will be able to compromise them and hijack them to use them to originate mail on behalf of their domains, thus degrading those domains' reputation. The criminals can steal infected users' online banking credentials too, which is far more worrying. Everyone has to keep their networks clean for many reasons, not just spam. nuclear war is more worrying too. but that doesn't mean that the ease in compromising PCs isn't a big contributor to the spam problem. as for keeping...networks clean, well, of course people should try to do that. but as far as I can tell, so far it's more of a laudable goal than a practical reality. Keith ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
SM wrote: Spam can pass SPF, Sender-ID and are even DK and DKIM signed nowadays. One can't blame spammers for not being early adopters. :-) TMDA may cause backscatter. After an SPF PASS the backscatter by definition can't hit an innocent bystander. By the same definition any backscatter after an SPF FAIL hits an innocent bystander, and therefore is net abuse. http://www.ietf.org/internet-drafts/draft-ietf-sipping-spam-05.txt ) provides an interesting insight. It certainly explains why [18]...[21] are unnecessary for SIP ;-) Frank ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
On Thu, 4 Oct 2007, Keith Moore wrote: the vast majority of domains won't be able to use DKIM without seriously impairing their users' ability to send mail. You seem to be assuming that the vast majority of domains have really shitty message submission servers or connectivity. Maybe true, but if so they're already losing so much that lack of DKIM probably doesn't matter to them. Tony. -- f.a.n.finch [EMAIL PROTECTED] http://dotat.at/ IRISH SEA: SOUTHERLY, BACKING NORTHEASTERLY FOR A TIME, 3 OR 4. SLIGHT OR MODERATE. SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
Tony Finch wrote: On Thu, 4 Oct 2007, Keith Moore wrote: the vast majority of domains won't be able to use DKIM without seriously impairing their users' ability to send mail. You seem to be assuming that the vast majority of domains have really shitty message submission servers or connectivity. It's a combination of several things - one, requiring that a domain operate its own mail submission servers which sign their mail (and all that that implies, like maintaining the private keys). Two, many domains will be too small to develop enough of a reputation to be whitelisted, and any spammer can create a temporary domain which will have about as good a reputation as the vast majority of those domains. Three, as long as people use Windows boxes, spammers will be able to compromise them and hijack them to use them to originate mail on behalf of their domains, thus degrading those domains' reputation. So basically if you're a small domain, you're SOL. If you're a large domain, people can't afford to blacklist you unless you originate a lot of spam anyway. Keith ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
On 2007-10-06 12:02, Ken Raeburn wrote: On Oct 5, 2007, at 17:00, Douglas Otis wrote: But what is it? A step beyond grey listing. Beyond implies in vaguely the same direction. From skimming the TMDA description, I don't see that at all. In any case, the IETF config for TMDA is a white list only, as far as I know. All known subscribers to IETF lists are automaticaly white listed, and anyone else has to respond once to a challenge to become white listed. Mail from non-white listed senders goes into manual moderation. That's all. Not perfect, but it stops a heck of a lot of spam. Brian ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
Original Message - From: Clint Chaplin [EMAIL PROTECTED] To: ietf@ietf.org Sent: Thursday, October 04, 2007 1:01 AM Subject: Re: Spammers answering TMDA Queries I believe the term is tmda, not tdma. Never mind how it is spelt, what is it? Something to do with e-mail, something associated with spam, something that may or may not affect my ability to participate with the 'IETF' now or in future. But what is it? An explanation for one not familiar with MX and mail list administration would be appreciated. Tom Petch PS no need to explain SPF, DKIM etc, those have been hammered enough on this list. TDMA is a type of cell phone technology. On 10/3/07, Hallam-Baker, Phillip [EMAIL PROTECTED] wrote: I don't see a problem if we eat our own dog food. The use of tdma type tech for mailing list subscriptions has been considered best practice for over a decade. Personal use is nasty, brutish and hopefully short. Allowing unsubscribed persons to post after a tdma authentication is a courtesy, there is no obligation to extend it in the first place. Pooling the tdma responses across multiple ietf mailing lists is a further courtesy. There is more we can do here but no more that we should feel obliged to do - ecept for the fact that we are a standards organization and should eat the dog food. In particular, sign the messages with dkim and deploy spf. Sent from my GoodLink Wireless Handheld (www.good.com) -Original Message- From: Michael Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 03, 2007 08:23 AM Pacific Standard Time To: Brian E Carpenter Cc: ietf@ietf.org Subject:Re: Spammers answering TMDA Queries Brian E Carpenter wrote: Speaking personally, I think annual reconfirmation is quite reasonable. The message sent to the user should make it clear that it is an annual process. Except... the annual confirmation is probably going to get accidentally deleted by a lot of people because they think it's the monthly notice. If this is a real problem, wouldn't it be better to take it up with the mailman folks since I'd expect that it's not just ietf? I've been working with them on dkim related stuff and they are quite reasonable folks. Maybe they have some ideas on this front. Mike ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf -- Clint (JOATMON) Chaplin Principal Engineer Corporate Standardization (US) SISA ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
On Oct 5, 2007, at 17:00, Douglas Otis wrote: But what is it? A step beyond grey listing. Beyond implies in vaguely the same direction. From skimming the TMDA description, I don't see that at all. Ken ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
how many of us are now sending with DKIM or Microsoft's scheme? It might be worthwhile making ietf.org apply a policy to senders that would recognize normal participants and disallow known spam domains. Um, spammers haven't sent mail from known spam domains since about 2001. These days spam has 100% forged return addresses. DKIM and Sender-ID help tell forgeries from legit mail, but I haven't heard anyone say that forged mail purporting to be from list participants is an issue. Unless I am missing something, the amount of spam leaking into IETF lists is currently about zero. What problem are we trying to solve? R's, John ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: Spammers answering TMDA Queries
The problem is the amount of time it is taking to moderate mail sent by non subscribers. So far the score for KEYPROV has been 98% spam. But there were a couple of messages that were very important that got trapped. -Original Message- From: John Levine [mailto:[EMAIL PROTECTED] Sent: Thursday, October 04, 2007 11:44 AM To: ietf@ietf.org Cc: [EMAIL PROTECTED] Subject: Re: Spammers answering TMDA Queries how many of us are now sending with DKIM or Microsoft's scheme? It might be worthwhile making ietf.org apply a policy to senders that would recognize normal participants and disallow known spam domains. Um, spammers haven't sent mail from known spam domains since about 2001. These days spam has 100% forged return addresses. DKIM and Sender-ID help tell forgeries from legit mail, but I haven't heard anyone say that forged mail purporting to be from list participants is an issue. Unless I am missing something, the amount of spam leaking into IETF lists is currently about zero. What problem are we trying to solve? R's, John ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: Spammers answering TMDA Queries
Absolutely, and in fact I see mailing list management as a natural early adopter for DKIM filtering. The vast bulk of the spam I am moderating off the KEYPROV list is phishing spam against five particular addresses, all of which implement DKIM. My workload as a moderator can be cut by 80% by rejecting any message from those addresses that is not DKIM signed. Mailing lists do not in general subscribe to mailing lists so the normal arguments against discarding messages for failing DKIM compliance do not apply. -Original Message- From: Fred Baker [mailto:[EMAIL PROTECTED] Sent: Thursday, October 04, 2007 1:44 PM To: Hallam-Baker, Phillip Cc: John Levine; ietf@ietf.org Subject: Re: Spammers answering TMDA Queries -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 4, 2007, at 11:56 AM, Hallam-Baker, Phillip wrote: The problem is the amount of time it is taking to moderate mail sent by non subscribers. yes. For example, every email from @cisco.com is dkim-signed. The IETF can automagically dump any such email that is not signed, or for which the signature doesn't check out. I know that [EMAIL PROTECTED] is one of many commonly-spoofed email addresses - I can tell that from the backscatter I find in my junk box. For how many of us is that true? -BEGIN PGP SIGNATURE- iD8DBQFHBSZXbjEdbHIsm0MRAt9UAJ9xVCpDMdC3spmPkmsTFCqZTNWY6ACffR0R lUEQvoA8i0OZXuU4r8TroLs= =0xUE -END PGP SIGNATURE- ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
Hallam-Baker, Phillip wrote: Absolutely, and in fact I see mailing list management as a natural early adopter for DKIM filtering. the problem I have with DKIM filtering is that it is only effective for domains that can reasonably insist that all of the mail originated by users at that domain go through that domain's submission servers. this is a corner case, not the general case. sure the spammers will learn to not use DKIM domains, but they'll just move to other domains, and the vast majority of domains won't be able to use DKIM without seriously impairing their users' ability to send mail. of course, some of the large ISPs and MSPs like it that way. frankly I don't think IETF should have backed a proposal that was so unfairly biased toward a particular business model. Keith ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
Keith Moore wrote: the problem I have with DKIM filtering is that it is only effective for domains that can reasonably insist that all of the mail originated by users at that domain go through that domain's submission servers. this is a corner case, not the general case. Back in the day, we didn't have any of this VeePeeEn tomfoolery. I could just telnet in and that was that. I'm sure that our IT folks paid dearly in time, equipment, and support to throw up that wall, yet they did it and as far as I can tell we all survived the move. I don't see anything especially different with mail: if you want accountability, you have to do real live work -- part of which is placing restrictions on access. TANSTAAFL. sure the spammers will learn to not use DKIM domains, but they'll just move to other domains, This is a feature, not a bug: I don't have to outrun the bear, I just need to outrun you. Mike ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
Fred Baker writes: On Oct 4, 2007, at 11:56 AM, Hallam-Baker, Phillip wrote: The problem is the amount of time it is taking to moderate mail sent by non subscribers. yes. For example, every email from @cisco.com is dkim-signed. The IETF can automagically dump any such email that is not signed, or for which the signature doesn't check out. I know that [EMAIL PROTECTED] is one of many commonly-spoofed email addresses - I can tell that from the backscatter I find in my junk box. For how many of us is that true? FWIW, about 12% (14 out of 114) of the active non-spam senders to this list had DKIM-Signature headers in the past two weeks. I don't know enough about DKIM to tell whether the same assumption holds for the non-cisco.com sender domains (mostly gmail.com plus a few smaller ones): that mail from them can be considered spoofed if the DKIM headers are absent. : [EMAIL PROTECTED]; cat `egrep -l -i '^DKIM-Signature:' *` | egrep -i '^From:' | sort | uniq -c | wc -l 14 : [EMAIL PROTECTED]; cat * | egrep -i '^From:' | sort | uniq -c | wc -l 114 -- Simon. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I will disagree with you there. DKIM allows the concept of a corporate signature - I'm Cisco and I know who my employee is or I'm Yahoo and I know who my user is - but it doesn't require it. What it does require is that if you are not going to use the corporate servers you need to provide and support the signature you use. The former is, IMHO, an important step in scalability. The latter is status quo with PGP and S/MIME. On Oct 4, 2007, at 3:38 PM, Keith Moore wrote: Hallam-Baker, Phillip wrote: Absolutely, and in fact I see mailing list management as a natural early adopter for DKIM filtering. the problem I have with DKIM filtering is that it is only effective for domains that can reasonably insist that all of the mail originated by users at that domain go through that domain's submission servers. this is a corner case, not the general case. sure the spammers will learn to not use DKIM domains, but they'll just move to other domains, and the vast majority of domains won't be able to use DKIM without seriously impairing their users' ability to send mail. of course, some of the large ISPs and MSPs like it that way. frankly I don't think IETF should have backed a proposal that was so unfairly biased toward a particular business model. Keith -BEGIN PGP SIGNATURE- iD8DBQFHBUo8bjEdbHIsm0MRAj/5AJ9cUHumt53uReMxuHrxRvQeJCkvsgCg8UCq I/+91c9ik2rREvhAwz1vMyk= =G55s -END PGP SIGNATURE- ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: Spammers answering TMDA Queries
I fail to see your point here. Anyone can deploy DKIM, there is nothing unfair about the DKIM architecture. The 'unfairness' that you appear to be complaining about is that DKIM solves a problem that only targets a relatively small number of Internet domains, although the effects of that attack are seen by everyone. Impersonation of a trusted brand is always going to assit a social engineering attack if this is possible. I do not understand the ideological calculus under which we should do nothing to protect consumers against attacks of this nature because we can't all have a trusted brand. -Original Message- From: Keith Moore [mailto:[EMAIL PROTECTED] Sent: Thursday, October 04, 2007 3:39 PM To: Hallam-Baker, Phillip Cc: Fred Baker; ietf@ietf.org Subject: Re: Spammers answering TMDA Queries Hallam-Baker, Phillip wrote: Absolutely, and in fact I see mailing list management as a natural early adopter for DKIM filtering. the problem I have with DKIM filtering is that it is only effective for domains that can reasonably insist that all of the mail originated by users at that domain go through that domain's submission servers. this is a corner case, not the general case. sure the spammers will learn to not use DKIM domains, but they'll just move to other domains, and the vast majority of domains won't be able to use DKIM without seriously impairing their users' ability to send mail. of course, some of the large ISPs and MSPs like it that way. frankly I don't think IETF should have backed a proposal that was so unfairly biased toward a particular business model. Keith ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 As I understand it, the spammers were among the first adopters of dkim. My point is not that spammers don't sign. Some spammers don't sign and can (eventually, not now) be dropped because they don't. Other spammers do sign and can be identified and shunned by policy. But certainly, spammers spoofing source addresses will be unable to sign as the spoofed sending domain, and can have their traffic summarily discarded as either being unsigned but purporting to come from a domain that signs or as having invalid signatures. Traffic with spoofed source addresses from domains that sign needs no moderation. The moderation load is the problem we're solving. On Oct 4, 2007, at 4:08 PM, Simon Leinen wrote: Fred Baker writes: On Oct 4, 2007, at 11:56 AM, Hallam-Baker, Phillip wrote: The problem is the amount of time it is taking to moderate mail sent by non subscribers. yes. For example, every email from @cisco.com is dkim-signed. The IETF can automagically dump any such email that is not signed, or for which the signature doesn't check out. I know that [EMAIL PROTECTED] is one of many commonly-spoofed email addresses - I can tell that from the backscatter I find in my junk box. For how many of us is that true? FWIW, about 12% (14 out of 114) of the active non-spam senders to this list had DKIM-Signature headers in the past two weeks. I don't know enough about DKIM to tell whether the same assumption holds for the non-cisco.com sender domains (mostly gmail.com plus a few smaller ones): that mail from them can be considered spoofed if the DKIM headers are absent. : [EMAIL PROTECTED]; cat `egrep -l -i '^DKIM- Signature:' *` | egrep -i '^From:' | sort | uniq -c | wc -l 14 : [EMAIL PROTECTED]; cat * | egrep -i '^From:' | sort | uniq -c | wc -l 114 -- Simon. -BEGIN PGP SIGNATURE- iD8DBQFHBU1HbjEdbHIsm0MRAgnNAKDH4BEX5g/aAxHFtK0Ibk3/URKfOACgqqhH IDAsrh1QRfvxMWxkuEUpFIo= =BiFX -END PGP SIGNATURE- ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Oct 4, 2007, at 3:38 PM, Keith Moore wrote: the problem I have with DKIM filtering is that it is only effective for domains that can reasonably insist that all of the mail originated by users at that domain go through that domain's submission servers. this is a corner case, not the general case. sure the spammers will learn to not use DKIM domains, but they'll just move to other domains, and the vast majority of domains won't be able to use DKIM without seriously impairing their users' ability to send mail. of course, some of the large ISPs and MSPs like it that way. well, at some point it seems to me that we can take the next step, which is to require all email to IETF lists to be signed. Offer to accept DKIM, Microsoft's (as in gmail), PGP, and S/MIME, but require the signature and require it to verify. We're probably not yet at that point, but for companies that follow the kind of policy in question, we can take a step. -BEGIN PGP SIGNATURE- iD8DBQFHBUsNbjEdbHIsm0MRAnojAKD5IKz4vVvaZ5Qm7JImgxfHzNPmMACeJt5K /45ux7qbMKmV2CdbBK7acSg= =N1+N -END PGP SIGNATURE- ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
the problem I have with DKIM filtering is that it is only effective for domains that can reasonably insist that all of the mail originated by users at that domain go through that domain's submission servers. this is a corner case, not the general case. Back in the day, we didn't have any of this VeePeeEn tomfoolery. I could just telnet in and that was that. I'm sure that our IT folks paid dearly in time, equipment, and support to throw up that wall, yet they did it and as far as I can tell we all survived the move. I don't see anything especially different with mail: if you want accountability, you have to do real live work -- part of which is placing restrictions on access. TANSTAAFL. what you are failing to see is just how much reliance on VPNs (and source IPs) to do authentication cripples the network. sure it's better than nothing, but it's also very inflexible and an architectural dead end. (and the problem with TANSTAAFL is that you can use it to justify any kind of brain damage you want, as long as there's some minor associated benefit) sure the spammers will learn to not use DKIM domains, but they'll just move to other domains, This is a feature, not a bug: I don't have to outrun the bear, I just need to outrun you. I'll remind you that as a condition to working in IETF we are all pledged to use our judgment as to what's best for the Internet as a whole...not just for those who can run faster than others. Keith ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
Hallam-Baker, Phillip wrote: I fail to see your point here. Anyone can deploy DKIM, there is nothing unfair about the DKIM architecture. it artificially changes the relative value of domain names. it makes them more like brand names, where you have to work to build a domain's reputation in order to get people to trust it. it means that domains which are associated with large user communities with a good reputation will be more trusted than domains with small user communities, even when those domains are equally diligent. in that way DKIM favors the interests of large concerns over small ones. so it's not surprising that several large concerns backed it. but that doesn't mean it's a good thing for the Internet as a whole. The 'unfairness' that you appear to be complaining about is that DKIM solves a problem that only targets a relatively small number of Internet domains, although the effects of that attack are seen by everyone. indeed, DKIM might help address the phishing problem, if that's what you're talking about. and large concerns are disproportionally affected by phishing. but ultimately I think there's only a small chance of DKIM helping the phishing problem much, because of user interface issues and because there are lots of ways to fool people into thinking that they're responding to a FemtoSquishy email without having femtosquishy.com in the From address or signature. Impersonation of a trusted brand is always going to assit a social engineering attack if this is possible. I do not understand the ideological calculus under which we should do nothing to protect consumers against attacks of this nature because we can't all have a trusted brand. using DKIM to discourage phishing is a different use case than using it to authenticate to IETF lists. just because it might work well for the former (if indeed it does) does not mean it can be relied on to work well for the latter. Keith ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
Folks, Fred Baker wrote: I will disagree with you there. DKIM allows the concept of a corporate signature - I'm Cisco and I know who my employee is or I'm Yahoo and I know who my user is - but it doesn't require it. What it does require This is a key point. A DKIM is signature is an affirmative statement of responsibility by the Domain owner, *for that message*. So when a signature is present, you have an accountable entity. Whether you actually have any trust in that entity is a separate (and more interesting) question. Assessment mechanisms for an authenticated domain name, do not have any standards yet. For that matter, a standard that signals that a site signs all mail containing their domain in a particular field is also a matter still awaiting standardization. At the moment, the I sign everything construct is ad hoc. A domain can know it about itself, of course, so that cisco can detect inbound mail that forges cisco's domain. For now, other recipient sites require ad hoc lists. What DKIM has not yet been established for, is filtering out bad mail. Although the I sign everything construct is expected to help this, there is no meaningful track record that it really works. More generally, this thread has been dominated by views that there are single, simple, well-understood solutions for the problem(s) being cited. Among the anti-abuse community, the consensus is that effective mechanisms are not singular, not simple, and not yet well-understood. On the average, the public community -- and I'm afraid that the IETF mailing list appears to fall into the broad, non-technical category -- entirely underestimates the sophistication of modern email abuse mechanisms. John Levine and others have been making this point on the thread, but it does not seem to be registering. Having mail receivers at ietf.org take note of email authentication is a Good Thing. Assuming that this is going to solve any particular email problem is not. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
Keith Moore wrote: the problem I have with DKIM filtering is that it is only effective for domains that can reasonably insist that all of the mail originated by users at that domain go through that domain's submission servers. this is a corner case, not the general case. Back in the day, we didn't have any of this VeePeeEn tomfoolery. I could just telnet in and that was that. I'm sure that our IT folks paid dearly in time, equipment, and support to throw up that wall, yet they did it and as far as I can tell we all survived the move. I don't see anything especially different with mail: if you want accountability, you have to do real live work -- part of which is placing restrictions on access. TANSTAAFL. what you are failing to see is just how much reliance on VPNs (and source IPs) to do authentication cripples the network. sure it's better than nothing, but it's also very inflexible and an architectural dead end. C'est la guerre. In fact, I'm well aware of all of those things, and I'll even allow that our IT folks were probably aware of all of those things too -- they undoubtedly took a lot of flak from the Eldar who probably said the same thing. I'm also pretty sure that they would dismiss anybody who told them to tear out their VPN gear because it cripples the network and is an architectural dead. Same goes for email. sure the spammers will learn to not use DKIM domains, but they'll just move to other domains, This is a feature, not a bug: I don't have to outrun the bear, I just need to outrun you. I'll remind you that as a condition to working in IETF we are all pledged to use our judgment as to what's best for the Internet as a whole...not just for those who can run faster than others. I guess I must have been in the bar when they had that pledge of allegiance. But even allowing that there is any such pledge, to the degree that we enable domains to control who uses their name and be accountable when they behave badly is certainly a net good thing IMO. Your original makes it sound like there's some inherent right to be heard. There isn't. If you don't want to be accountable, then maybe I just don't want to bother sorting your wheat from chaff. Mike ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
I guess I must have been in the bar when they had that pledge of allegiance. But even allowing that there is any such pledge, to the degree that we enable domains to control who uses their name and be accountable when they behave badly is certainly a net good thing IMO. domains don't behave well or badly. they're just names. and I don't think it's in the internet's interest to require people to associate themselves with what is essentially a brand name in order to be heard. using DKIM for spam filtering pretty much does that. ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
--On 2. oktober 2007 18:49 -0400 Russ Housley [EMAIL PROTECTED] wrote: The Secretariat tells me that Spammers are responding to TDMA queries so that their mail goes through. They have made the suggestion that we clear the list of people once per year. This would mean that a legitimate user of a list that uses TDMA would get a TDMA query once a year if they are not subscribed to any ietf.org mail list. There is no TDMA query for people who are on at least one ietf.org mail list. Here is the info that I have: Russ wants to know how many people have responded to the TMDA challenge but are not on any IETF mailing list. 1025 mail addresses have confirmed their address. I would bet that at least 20% of the confirmed are spam addresses (or autoconfirmed addresses) Thoughts? get a documented case (copy of the confirmation email + copy of the spam that got through) before jumping to conclusions. I don't think clearing the list is reasonable without relatively solid evidence that there are 200 spammers' addresses in that list. Interestingly, a confirmation email, with trace headers, is evidence of the location of a spammer that is far more solid than most kinds of evidence one can gather from just the spam; after all, the spammer was available at his MX to get and reply to the confirmation email. If the spammers were indeed auto-replying, I'd set up a honeypot running TMDA so that I could collect their whereabouts Harald ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
Brian E Carpenter wrote: Speaking personally, I think annual reconfirmation is quite reasonable. The message sent to the user should make it clear that it is an annual process. Except... the annual confirmation is probably going to get accidentally deleted by a lot of people because they think it's the monthly notice. If this is a real problem, wouldn't it be better to take it up with the mailman folks since I'd expect that it's not just ietf? I've been working with them on dkim related stuff and they are quite reasonable folks. Maybe they have some ideas on this front. Mike ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
I don't see a problem if we eat our own dog food. The use of tdma type tech for mailing list subscriptions has been considered best practice for over a decade. Personal use is nasty, brutish and hopefully short. Allowing unsubscribed persons to post after a tdma authentication is a courtesy, there is no obligation to extend it in the first place. Pooling the tdma responses across multiple ietf mailing lists is a further courtesy. There is more we can do here but no more that we should feel obliged to do - ecept for the fact that we are a standards organization and should eat the dog food. In particular, sign the messages with dkim and deploy spf. Sent from my GoodLink Wireless Handheld (www.good.com) -Original Message- From: Michael Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 03, 2007 08:23 AM Pacific Standard Time To: Brian E Carpenter Cc: ietf@ietf.org Subject:Re: Spammers answering TMDA Queries Brian E Carpenter wrote: Speaking personally, I think annual reconfirmation is quite reasonable. The message sent to the user should make it clear that it is an annual process. Except... the annual confirmation is probably going to get accidentally deleted by a lot of people because they think it's the monthly notice. If this is a real problem, wouldn't it be better to take it up with the mailman folks since I'd expect that it's not just ietf? I've been working with them on dkim related stuff and they are quite reasonable folks. Maybe they have some ideas on this front. Mike ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
I believe the term is tmda, not tdma. TDMA is a type of cell phone technology. On 10/3/07, Hallam-Baker, Phillip [EMAIL PROTECTED] wrote: I don't see a problem if we eat our own dog food. The use of tdma type tech for mailing list subscriptions has been considered best practice for over a decade. Personal use is nasty, brutish and hopefully short. Allowing unsubscribed persons to post after a tdma authentication is a courtesy, there is no obligation to extend it in the first place. Pooling the tdma responses across multiple ietf mailing lists is a further courtesy. There is more we can do here but no more that we should feel obliged to do - ecept for the fact that we are a standards organization and should eat the dog food. In particular, sign the messages with dkim and deploy spf. Sent from my GoodLink Wireless Handheld (www.good.com) -Original Message- From: Michael Thomas [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 03, 2007 08:23 AM Pacific Standard Time To: Brian E Carpenter Cc: ietf@ietf.org Subject:Re: Spammers answering TMDA Queries Brian E Carpenter wrote: Speaking personally, I think annual reconfirmation is quite reasonable. The message sent to the user should make it clear that it is an annual process. Except... the annual confirmation is probably going to get accidentally deleted by a lot of people because they think it's the monthly notice. If this is a real problem, wouldn't it be better to take it up with the mailman folks since I'd expect that it's not just ietf? I've been working with them on dkim related stuff and they are quite reasonable folks. Maybe they have some ideas on this front. Mike ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf -- Clint (JOATMON) Chaplin Principal Engineer Corporate Standardization (US) SISA ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
On Oct 3, 2007, at 2:59 PM, Hallam-Baker, Phillip wrote: There is more we can do here but no more that we should feel obliged to do - except for the fact that we are a standards organization and should eat the dog food. In particular, sign the messages with dkim and deploy spf. Few problems should be caused by DKIM, although it might be difficult to claim DKIM solves a particular problem affecting IETF mailing lists. The same is not true for SPF. SPF is experimental, can be problematic, and is very likely unsafe for use with DNS. SPF carries suitable warnings indicating it may cause problems. SPF may interfere with the delivery of forwarded messages. SPF might be used in conjunction with Sender-ID. Suggested solutions for dealing with Sender-ID requires yet another version of SPF be published. Use of which might fall under: http://www.microsoft.com/downloads/results.aspx? pocId=freetext=SenderID_License-Agreement.pdfDisplayLang=en Possible application of Sender-ID will cause IETF lists to break once SPF is published. The purported use of SPF for curtailing forged DSNs requires policy settings which then create new problems. When desired, names rather than address lists should be used to register an email path. A name path approach avoids the dangerous DNS transactional issues. Rather than relying upon unscalable SPF address lists, instead an extension might be applied to DKIM. The DKIM extension could offer a means to prevent DSNs from being dropped when Mail From domains differ. http://www1.tools.ietf.org/wg/dkim/draft-otis-dkim-tpa-ssp-01.txt -Doug ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
At 6:49 PM -0400 10/2/07, Russ Housley wrote: 1025 mail addresses have confirmed their address. I would bet that at least 20% of the confirmed are spam addresses (or autoconfirmed addresses) Thoughts? How was that 20% number guessed at?. If 200 spammers (or even 20!) were on the TDMA list, we should be seeing tons of spam on the lists; so far, we are not. --Paul Hoffman, Director --VPN Consortium ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
On Tuesday 02 October 2007 18:49, Russ Housley wrote: The Secretariat tells me that Spammers are responding to TDMA queries so that their mail goes through. They have made the suggestion that we clear the list of people once per year. This would mean that a legitimate user of a list that uses TDMA would get a TDMA query once a year if they are not subscribed to any ietf.org mail list. There is no TDMA query for people who are on at least one ietf.org mail list. Here is the info that I have: Russ wants to know how many people have responded to the TMDA challenge but are not on any IETF mailing list. 1025 mail addresses have confirmed their address. I would bet that at least 20% of the confirmed are spam addresses (or autoconfirmed addresses) Thoughts? Randomly unsubscribing non-abusing mailing list subscribers is unlikely to be an effective spam fighting tool. If people spam an IETF list, unsubscribe them. If not, don't. It's not clear to me what problem you are trying to solve. Scott K ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
RE: Spammers answering TMDA Queries
Sounds reasonable to me. Tdma for personal email protection is rude and unacceptable. For mailing lists it is entirely acceptable. Cost far outweighs benefit as the inconvenience to the single sender is much less than the benefit to the community. Should also consider if spf or dkim checks could cull the paypal spam. Sent from my GoodLink Wireless Handheld (www.good.com) -Original Message- From: Russ Housley [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 02, 2007 04:12 PM Pacific Standard Time To: ietf@ietf.org Subject:Spammers answering TMDA Queries The Secretariat tells me that Spammers are responding to TDMA queries so that their mail goes through. They have made the suggestion that we clear the list of people once per year. This would mean that a legitimate user of a list that uses TDMA would get a TDMA query once a year if they are not subscribed to any ietf.org mail list. There is no TDMA query for people who are on at least one ietf.org mail list. Here is the info that I have: Russ wants to know how many people have responded to the TMDA challenge but are not on any IETF mailing list. 1025 mail addresses have confirmed their address. I would bet that at least 20% of the confirmed are spam addresses (or autoconfirmed addresses) Thoughts? Russ ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
Paul Hoffman wrote: At 6:49 PM -0400 10/2/07, Russ Housley wrote: 1025 mail addresses have confirmed their address. I would bet that at least 20% of the confirmed are spam addresses (or autoconfirmed addresses) Thoughts? How was that 20% number guessed at?. If 200 spammers (or even 20!) were on the TDMA list, we should be seeing tons of spam on the lists; so far, we are not. Maybe they're just harvesting addresses? Mike ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
Re: Spammers answering TMDA Queries
On 2007-10-03 11:49, Russ Housley wrote: The Secretariat tells me that Spammers are responding to TDMA queries so that their mail goes through. They have made the suggestion that we clear the list of people once per year. This would mean that a legitimate user of a list that uses TDMA would get a TDMA query once a year if they are not subscribed to any ietf.org mail list. There is no TDMA query for people who are on at least one ietf.org mail list. Here is the info that I have: Russ wants to know how many people have responded to the TMDA challenge but are not on any IETF mailing list. 1025 mail addresses have confirmed their address. I would bet that at least 20% of the confirmed are spam addresses (or autoconfirmed addresses) A little history... I manually scanned the TMDA white list about a year ago, or rather I scanned the ~700 addresses that had then confirmed themselves. I didn't keep the relevant files on grounds of privacy protection, but I recall that around 30 of the addresses were self-evidently spammers that we removed manually; there were quite a lot that were self-evidently genuine. However, there were a large number which just couldn't be classified by inspection. I can easily believe the 20% estimate. Speaking personally, I think annual reconfirmation is quite reasonable. The message sent to the user should make it clear that it is an annual process. Brian ___ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
