Re: [ietf-dkim] Escaping things in key/ADSP records
On Jul 31, 2009, at 2:02 PM, Steve Atkins wrote: > (This may be a duplicate, I have too many email addresses) > > On Jul 31, 2009, at 12:08 PM, Scott Kitterman wrote: > >> On Fri, 31 Jul 2009 10:19:43 -0400 Tony Hansen wrote: >>> I'm wondering if there is a need for a web interface at dkim.org >>> that >>> would validate someone's _domainkey TXT record. >>> >> I'd say yes. It would provide a good way to isolate record >> specific issues >> from other potential problems people are having error sources when >> troubleshooting. > > I have some perl code that does some validation for internal use; it'd > be fairly easy to turn it into a webapp. http://dkimcore.org/tools/dkimrecordcheck.html Given a selector and a domain it'll slurp the record from DNS. Then it parses it, using the BNF from the spec (why, oh, why do we support FWS in a DNS record?) and then sanity checks the various fields and gives a good / bad message. If anyone has good (or known bad) records that it gets wrong I'm interested to hear about it. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On 8/1/2009 00:17, Franck Martin wrote: > I was curious by Scott comment re SPF. > > Is there a class of spam that cannot get a DKIM signature? > > I would think botnets would be that class, as they usually infect > computers and not sure they could DKIM sign as it would require them > to set a DNS entry too. Knowing that botnets are 70% of spam, if DKIM > could solve this one it would be great. You will not eliminate botnet spam by requiring a valid DKIM signature on every message accepted your mail servers. DKIM signatures are associated with domains, not sending IP addresses or the DNS hostnames associated with those IP addresses. Spammers register countless domains every day; they could easily generate and publish DKIM keys for those domains. The spamware used on zombies could be modified to use sender addresses in those domains and generate DKIM signatures for outbound messages. There is no technical reason why it could not be done. On the other hand, in the absence of wide-spread adoption of DKIM by legitimate senders, there is little, if any, incentive for spammers to move in this direction, because it eliminates their ability to used bogus/forged sender addresses in domains they do not control. There are techniques which can be used to block most spam from botnets, without the overhead of validating DKIM signatures. Most, if not all, of these tecniques have non-zero FP rates, but some sites have decided that the benefits of these techniques outweigh the costs. > so my question to add to your question "Does the presence of a signature > provide any objective data about the goodness or badness of the signer?" is: > is there a class of spam that cannot get a DKIM signature? Probably not. But DKIM is not designed to provide a message recipient with the ability to determine whether a message is spam; it is designed to provide a message recipient with the ability to determine whether a message was sent by the apparent sender. -- Paul Russell, Senior Systems Administrator OIT Messaging Services Team University of Notre Dame ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
> You half-joke, but one of the arguments we presented to the FTC back in 2003 > or so regarding spam was that we had an opportunity to regulate issuance of > domain names. If not regulate, then at least insist on an identifiable legal > entity being required to register a domain. Without going into the rococo nightmare that is ICANN politics, forget it. Beyond the fact that ICANN has no interest in making it harder to register domains (other than perhaps via incremental price increases), they only set the rules for generic TLDs, three letters and longer, not two-letter country code TLDs. The Joint Project Agreement with the US government isn't going away any time soon, and the US government has always been in favor of more accountability, e.g., the .US domain forbids proxy registrations, but it's political problem due to privacy laws in the EU and Canada protecting domains that at least claim to be registered by individuals. R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
> But is ICANN supposed to clean all these random valid domains? Ahem. Domain is not a synonym for top-level or second-level domain. These are all domains: foo.badguy.com bar.badguy.com baz.badguy.com goo.badguy.com Don't even think of suggesting that domains are the "same" if the last N components are the same, until you have read and understood the endless discussions here and elsewhere of why that doesn't work. R's, John >> Yes the reputation of the domain override things, but what happens when it is >> the first time a domain is seen? Does DKIM help or not? > > If it did, how many milliseconds do you think it would take spammers to > start signing with random valid domains? Using wildcards for the key > records, it's a trivial little programming exercise. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html