Re: [ietf-dkim] DKIM adoption
Dave CROCKER schrieb: J.D. Falk wrote: Murray S. Kucherawy wrote: n fact, there is an experimental DKIM reputation service out there now that does something of this nature. The implementation I wrote has optional support for it. I don't yet have any information about who's using it or what the results of such are. And, there are others in progress. Within the obvious limits of protecting proprietary concerns, it would be quite helpful to be able to have the dkim.org site list existing and planned DKIM-based reputation services. Such services move DKIM from promising to useful. Hi, let me summarize some insights we collected running www.dkim-reputation.org since March 08: 1) I was in contact with Murray in Dec 08 the last time discussing uniform requests/responses to reputation systems. Today I think it would be helpful to publish - at least - something like a recommendation on (a) suitable publishing systems (DNS is appropriate in my view) (b) request parameters and (c) response formats. (a) IN: identifier, DKIM-based (b) OUT: scalar, good/bad in a recommended, min/max limited range with (simple) textual explanations of sub-ranges (not too detailed, cannot be differentiated by implementors anyway). Within dkim-reputation.org I am using for (a) as DNS RR subdomain: (i) if i= is available including local-part: base64(md5(local-part_i)).base64(md5(domain-part_i)).base64(md5(signdom_d)) (ii) if i= is not available including local-part as a fallback (spoofable inside a trusted signing domain): base64(md5(local-part_from)).base64(md5(domain-part_from)).base64(md5(signdom_d)) This format is quite useful: - if used in combination with DNS, wildcards can be used in the zone to combine either domain parts and/or users below the reputation of the signing domain - copied parts of the list (DNS caches, DNS mirrors or plain ASCII feeds) can't reveal existing addresses (confirmations of addresses remain possible) - if long usernames or domains are used this doesn't bother the system (btw: a very long domain name our crawlers at dkim-reputation.org found was registeringdomainnamesismorefunthandoingrealwork.com ;) ) Within dkim-reputation.org I am using for (b) the value of a TXT record that contains (i) a timestamp of the last record update (e.g. the last spam hit) (ii) the reputation value at the time this hit was generated (within a range of -1000 to 1000) (iii) a proposed value how much to increase/decrease this value per day to forgive bad reputation after some time (iii) is very special and could be implemented on client side individually: shouldn't be part of a recommendation. (i) is quite useful to prevent regular updates of a DNS record on the provider side. (ii) is mandatory. I'd appreciate if someone could follow this topic, I'm unfortunately too busy to push this at time. 2) our statistics on http://www.dkim-reputation.org/statistics/ are quite interesting: while those that send valid DomainKeys/DKIM signed spam to us told us their entire spam traffic increased, we see that the number of spammers using DKIM (directly with own signing domains or indirectly by using ISP accounts) drops. The individual user accounts we detected belong mostly to Gmail and Yahoo!. Here you can see the most significant decrease; both E-Mail Services successfully react on ARF reports today and block the according accounts. It's also interesting to see that the number of bad domains decreases. On the other hand I see that the number of entire signing domains increases (Cisco was talking about a triplication since last year, I measured factor 2.5). This is interesting but might remain without any consequences concerning filtering: DKIM reputation - in my view - makes 100% sense concerning the reduction of false positives. Since false positives aren't a great problem at time I don't push dkim-reputation.org too much, waiting for a time it becomes more necessary. Concerning bad reputation there is some usage, but I saw: the hits that our DKIM-reputation spamassassin plugin generated were just confirmations of spam mails already rated bad. So no big advantage here, just one means in a combined approach. The idea to rate non-signed emails worse should be banned in my view: thinking about DKIM failure scenarios as well you always should rate unsigned emails as well as non-validly signed emails neutrally. 3) To get back to DKIM adoption: since DKIM reputation obviously doesn't boost there must be other drivers in my view, special example: the German government is looking for a way to get court-proof emails. They defined a concept that's very likely too complicated to become true, instead small steps would be more helful; to provide long-term-proof I could imagine the following setup (signer has to be trusted, users can change the ISP without loosing the proof, just an idea): http://www.agitos.de/pub/20090703-ingoing-dkim-for-stability-proof.pdf
Re: [ietf-dkim] DKIM adoption
J.D. Falk wrote: Murray S. Kucherawy wrote: In fact, there is an experimental DKIM reputation service out there now that does something of this nature. The implementation I wrote has optional support for it. I don't yet have any information about who's using it or what the results of such are. And, there are others in progress. Folks, Within the obvious limits of protecting proprietary concerns, it would be quite helpful to be able to have the dkim.org site list existing and planned DKIM-based reputation services. Such services move DKIM from promising to useful. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
MH Michael Hammer (5304) wrote: While I don't believe that receivers would be particularly well served by lowering reputation for unsigned emails or raising reputation for those that are signed, it would certainly be useful if receivers took a stronger stance in saying they are taking advantage of DKIM signatures to track reputation. While in the past I have been primarily interested in first party signing, I have been thinking about potential benefits of our organization signing with a second signature so that we can use it across properties. I find it very hard to justify to finishing the addition of DKIM into our wcSMTP and wcListServer products. We were all set to go when SSP was still in play and part of the DKIM API. Without policy and no public reputation services, adding DKIM would add confusion to our customer base as to its purpose. To me, technology come first, not marketing. So I ask you, how do you track reputation? especially anonymous? Doug and I had this discussion 2-3 years ago about the problem of Blitz attacks in order to force a DoS facsimile forcing the receiver to turn of DKIM processing. If DKIM needs batteries in order to have a payoff or some values, what batteries do you recommend? Also, with our mail model, post SMTP processing is after the mail is checked. Our stock mail filtering scripting language are at the SMTP and DATA level before a response is provided. When Mail is finally accepted, our design takes it very serious to no longer be part of the content decision making process - the buck (heuristic considerations) is passed to the operator. Its an old school philosophy that accepting mail is taken very serious. But if we were to add DKIM support, we would do so at the DATA level with our package. Efficiency and scalability is important. It has to be fast. That is why policy and fault tolerance was very important. The idea of processing and still accepting failure is a big waste of time for us. Note: that doesn't stop customers from adding DKIM themselves using some external post smtp scripting engine or whatever. But it won't be ours and 99$ of them are going use what we provide. After quite frankly, if I got 2 blind request for DKIM support, that would be a lot. If we don't support DKIM, it won't happen for them. -- ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On 8/6/09 12:15 AM, hector wrote: If DKIM needs batteries in order to have a payoff or some values, what batteries do you recommend? It seems DKIM might be used to bypass filtering that typically good messages would otherwise confront as a means to reduce false positives. Since few domains have only perfect users, one could also create a block list based upon the hash of the i= (on-behalf-of) value. The query might look something like: Query: base32(sha-1(i=)).d=. For domains that have problematic users and don't offer even an opaque i= value that corresponds to message sources, the domain would need to be removed from the list which might have prevented false positive detections. -Doug ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Douglas Otis Sent: Thursday, August 06, 2009 8:26 AM To: hector Cc: ietf-dkim@mipassoc.org; MH Michael Hammer (5304) Subject: Re: [ietf-dkim] DKIM adoption Since few domains have only perfect users, one could also create a block list based upon the hash of the i= (on-behalf-of) value. The query might look something like: Query: base32(sha-1(i=)).d=. In fact, there is an experimental DKIM reputation service out there now that does something of this nature. The implementation I wrote has optional support for it. I don't yet have any information about who's using it or what the results of such are. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
Murray S. Kucherawy wrote: In fact, there is an experimental DKIM reputation service out there now that does something of this nature. The implementation I wrote has optional support for it. I don't yet have any information about who's using it or what the results of such are. And, there are others in progress. -- J.D. Falk Return Path Inc http://www.returnpath.net/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
Interesting replies. My apologies for my delayed response. I was off in Vegas at defcon and intentionally not getting online for the duration. While I don't believe that receivers would be particularly well served by lowering reputation for unsigned emails or raising reputation for those that are signed, it would certainly be useful if receivers took a stronger stance in saying they are taking advantage of DKIM signatures to track reputation. While in the past I have been primarily interested in first party signing, I have been thinking about potential benefits of our organization signing with a second signature so that we can use it across properties. Mike From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Franck Martin Sent: Friday, July 31, 2009 6:23 PM To: ietf-dkim@mipassoc.org Subject: [ietf-dkim] DKIM adoption Looking at DKIM adoption. I have seen statements that some mailers will do DKIM based reputation if available, but I have yet to see a statement as either: -an email not signed with DKIM will have its reputation lowered (less likely to pass filters) -an email signed with DKIM will have its reputation increased (more likely to pass filters) I think if there were some postmasters making such statement it would boost the adoption of DKIM. I think stating that some postmasters are moving to domain based reputation is just encouraging the status quo of not DKIM signing to stay in IP based reputation. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
I am not ready to make that statement yet. Considering that a lot of spam has valid DKIM signatures I am not sure when I will make that statement From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Franck Martin Sent: Friday, July 31, 2009 6:23 PM To: ietf-dkim@mipassoc.org Subject: [ietf-dkim] DKIM adoption Looking at DKIM adoption. I have seen statements that some mailers will do DKIM based reputation if available, but I have yet to see a statement as either: -an email not signed with DKIM will have its reputation lowered (less likely to pass filters) -an email signed with DKIM will have its reputation increased (more likely to pass filters) I think if there were some postmasters making such statement it would boost the adoption of DKIM. I think stating that some postmasters are moving to domain based reputation is just encouraging the status quo of not DKIM signing to stay in IP based reputation. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On 8/2/09 1:06 AM, Mark Delany wrote: On Aug 1, 2009, at 9:14 PM, Franck Martin wrote: But is ICANN supposed to clean all these random valid domains? You half-joke, but one of the arguments we presented to the FTC back in 2003 or so regarding spam was that we had an opportunity to regulate issuance of domain names. If not regulate, then at least insist on an identifiable legal entity being required to register a domain. Rather than viewing control of a domain as indicative of good email behavior, positive reputations based upon histories of DKIM signatures could offer an alternative or enhancement to methods currently used in the disposition of messages. As SMTP transitions into the use of IPv6, IP address reputations will also need to rapidly transition to a positive mode of assessment as perhaps the only method that has a chance to scale in the face of new levels of abuse. It might be interesting to review information exchanged during DKIM assessment, such as a hash of the i= value in conjunction with the DKIM key location. Perhaps a new industry standard could be adopted in this regard. It might be interesting to find whether there might be interest in developing third-party authorization schemes. -Doug ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On Aug 3, 2009, at 10:31 AM, Douglas Otis wrote: On 8/2/09 1:06 AM, Mark Delany wrote: On Aug 1, 2009, at 9:14 PM, Franck Martin wrote: But is ICANN supposed to clean all these random valid domains? You half-joke, but one of the arguments we presented to the FTC back in 2003 or so regarding spam was that we had an opportunity to regulate issuance of domain names. If not regulate, then at least insist on an identifiable legal entity being required to register a domain. Rather than viewing control of a domain as indicative of good email behavior, positive reputations based upon histories of DKIM signatures could offer an alternative or enhancement to methods currently used in the disposition of messages. That's entirely orthogonal and nothing new. My point was something stronger and different from reputation, namely something jurisdictional; can I find (and sue) the owner of the domain on the DKIM signature? Mark. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On 08/03/2009 11:01 AM, Mark Delany wrote: On Aug 3, 2009, at 10:31 AM, Douglas Otis wrote: On 8/2/09 1:06 AM, Mark Delany wrote: On Aug 1, 2009, at 9:14 PM, Franck Martin wrote: But is ICANN supposed to clean all these random valid domains? You half-joke, but one of the arguments we presented to the FTC back in 2003 or so regarding spam was that we had an opportunity to regulate issuance of domain names. If not regulate, then at least insist on an identifiable legal entity being required to register a domain. Rather than viewing control of a domain as indicative of good email behavior, positive reputations based upon histories of DKIM signatures could offer an alternative or enhancement to methods currently used in the disposition of messages. That's entirely orthogonal and nothing new. My point was something stronger and different from reputation, namely something jurisdictional; can I find (and sue) the owner of the domain on the DKIM signature? I think that it's larger than that: Given a domain name, what can we educe from it? 1) who the registrant? o how long has it been around o etc, etc 2) who is the registrar? o how hard is it to mass-enroll domains? o are they known to turn a blind eye to spammers? etc, etc. That is, start looking up the food chain for bad behavior. Until there are negative consequences, registrars will take the free if smelly money. What can we do to create a negative consequence? Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
Franck Martin wrote: Looking at DKIM adoption. I have seen statements that some mailers will do DKIM based reputation if available, but I have yet to see a statement as either: -an email not signed with DKIM will have its reputation lowered (less likely to pass filters) -an email signed with DKIM will have its reputation increased (more likely to pass filters) I think if there were some postmasters making such statement it would boost the adoption of DKIM. Yahoo! broadly hinted, some years ago, that they'd start giving a slight positive bump to messages signed with DomainKeys. Two things happened: 1. serious hardcore spammers (not just misguided marketers) started including DomainKeys signatures 2. lots of people who really should've known better started saying use DomainKeys and your deliverability will improve! We also wrote about the slow emergence of domain reputation recently, trying to avoid piling on to the hyperbolic misrepresentations so common on other email marketing blogs: http://www.returnpath.net/blog/2009/07/domain-reputation-what-it-mean.php -- J.D. Falk Return Path Inc http://www.returnpath.net/ ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
Paul Russell wrote: Probably not. But DKIM is not designed to provide a message recipient with the ability to determine whether a message is spam; it is designed to provide a message recipient with the ability to determine whether a message was sent by the apparent sender. Since your caution constructively seeks to pay attention to what DKIM is *not* and especially since that goes against most folks' expectations for DKIM, it's tempting simply to agree. Strictly speaking, however, the 'apparent sender' reference is likely to be problematic since those same most folks will think it means the author (From: field) and it might or might not. The signing does not even have to be a direct handler of the message, per the Goodmail form signing on behalf of the author's organization. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
bill.ox...@cox.com wrote: , but I have yet to see a statement as either: -an email not signed with DKIM will have its reputation lowered (less likely to pass filters) -an email signed with DKIM will have its reputation increased (more likely to pass filters) The presence or absence of a DKIM signature carries no inherent semantics about reputation of the signer. Consequently anyone increasing or lowering a reputation assessment based on the presence or absence of a DKIM signature is going far beyond its stated purpose. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On 8/3/09 11:01 AM, Mark Delany wrote: That's entirely orthogonal and nothing new. My point was something stronger and different from reputation, namely something jurisdictional; can I find (and sue) the owner of the domain on the DKIM signature? An ISP might, but recipients had their legal standing removed by CAN-SPAM. Regardless, reputation would be more cost effective. -Doug ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
You half-joke, but one of the arguments we presented to the FTC back in 2003 or so regarding spam was that we had an opportunity to regulate issuance of domain names. If not regulate, then at least insist on an identifiable legal entity being required to register a domain. Without going into the rococo nightmare that is ICANN politics, forget it. Beyond the fact that ICANN has no interest in making it harder to register domains (other than perhaps via incremental price increases), they only set the rules for generic TLDs, three letters and longer, not two-letter country code TLDs. The Joint Project Agreement with the US government isn't going away any time soon, and the US government has always been in favor of more accountability, e.g., the .US domain forbids proxy registrations, but it's political problem due to privacy laws in the EU and Canada protecting domains that at least claim to be registered by individuals. R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On 8/1/2009 00:17, Franck Martin wrote: I was curious by Scott comment re SPF. Is there a class of spam that cannot get a DKIM signature? I would think botnets would be that class, as they usually infect computers and not sure they could DKIM sign as it would require them to set a DNS entry too. Knowing that botnets are 70% of spam, if DKIM could solve this one it would be great. You will not eliminate botnet spam by requiring a valid DKIM signature on every message accepted your mail servers. DKIM signatures are associated with domains, not sending IP addresses or the DNS hostnames associated with those IP addresses. Spammers register countless domains every day; they could easily generate and publish DKIM keys for those domains. The spamware used on zombies could be modified to use sender addresses in those domains and generate DKIM signatures for outbound messages. There is no technical reason why it could not be done. On the other hand, in the absence of wide-spread adoption of DKIM by legitimate senders, there is little, if any, incentive for spammers to move in this direction, because it eliminates their ability to used bogus/forged sender addresses in domains they do not control. There are techniques which can be used to block most spam from botnets, without the overhead of validating DKIM signatures. Most, if not all, of these tecniques have non-zero FP rates, but some sites have decided that the benefits of these techniques outweigh the costs. so my question to add to your question Does the presence of a signature provide any objective data about the goodness or badness of the signer? is: is there a class of spam that cannot get a DKIM signature? Probably not. But DKIM is not designed to provide a message recipient with the ability to determine whether a message is spam; it is designed to provide a message recipient with the ability to determine whether a message was sent by the apparent sender. -- Paul Russell, Senior Systems Administrator OIT Messaging Services Team University of Notre Dame ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
But is ICANN supposed to clean all these random valid domains? ;) - Original Message - From: John Levine jo...@iecc.com To: ietf-dkim@mipassoc.org Cc: fra...@genius.com Sent: Sunday, 2 August, 2009 3:26:07 PM GMT +12:00 Fiji Subject: Re: [ietf-dkim] DKIM adoption Yes the reputation of the domain override things, but what happens when it is the first time a domain is seen? Does DKIM help or not? If it did, how many milliseconds do you think it would take spammers to start signing with random valid domains? Using wildcards for the key records, it's a trivial little programming exercise. R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
Yes the reputation of the domain override things, but what happens when it is the first time a domain is seen? Does DKIM help or not? If it did, how many milliseconds do you think it would take spammers to start signing with random valid domains? Using wildcards for the key records, it's a trivial little programming exercise. R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On Aug 1, 2009, at 9:14 PM, Franck Martin wrote: But is ICANN supposed to clean all these random valid domains? ;) You half-joke, but one of the arguments we presented to the FTC back in 2003 or so regarding spam was that we had an opportunity to regulate issuance of domain names. If not regulate, then at least insist on an identifiable legal entity being required to register a domain. With that simple expedient and wide-spread deployment of DKIM you have potential legal recourse to inappropriate email. ICANN of course couldn't care less as they are in it for the money, just as registrars are, but as I understand it, ICANN still operates under an MoA from the US Department of Commerce so the opportunity is not completely lost, yet. Unfortunately that opportunity may disappear soon as ICANN are pushing hard for complete autonomy, at which point profit will always be the primary motive. My point being, issuance of domain names could be a choke-point and combined with DKIM potentially provides recourse that is currently not available. This attacks the opposite end of the spectrum that reputation focusses on. Having said that, you could then have reputation systems based on jurisdictional recourse. What if you receive traffic from a domain and you are able to query for the legal owner of that domain and whether you could sue that domain for spamming? A jurisdictional market for domains could move good senders to register in tougher jurisdictions whereas the bad guys would stay well clear. Just as companies today decide whether to register on the NYSE or in the Cayman Islands. Just another arrow in the quiver, but a useful one methinks. Mark. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[ietf-dkim] DKIM adoption
Looking at DKIM adoption. I have seen statements that some mailers will do DKIM based reputation if available, but I have yet to see a statement as either: -an email not signed with DKIM will have its reputation lowered (less likely to pass filters) -an email signed with DKIM will have its reputation increased (more likely to pass filters) I think if there were some postmasters making such statement it would boost the adoption of DKIM. I think stating that some postmasters are moving to domain based reputation is just encouraging the status quo of not DKIM signing to stay in IP based reputation. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On Jul 31, 2009, at 3:22 PM, Franck Martin wrote: Looking at DKIM adoption. I have seen statements that some mailers will do DKIM based reputation if available, but I have yet to see a statement as either: -an email not signed with DKIM will have its reputation lowered (less likely to pass filters) -an email signed with DKIM will have its reputation increased (more likely to pass filters) I think if there were some postmasters making such statement it would boost the adoption of DKIM. I doubt that either is true, though. A DKIM signature allows you to acquire increased or decreased reputation based on the history of that signing token. If I've never seen that token before, or I've seen bad behaviour associated with that token, it's not going to increase the reputation of the email (not in any sane mail filtering system anyway). Conversely, if I see unsigned mail coming in from an IP address that's sent great mail forever, I'm not going to decimate the mail stream just to encourage DKIM adoption. Might there be a grey area where the existence of a DKIM signature just pushes it over the edge? Maybe, but it's going to be a pretty small grey area. I think stating that some postmasters are moving to domain based reputation is just encouraging the status quo of not DKIM signing to stay in IP based reputation. And there's nothing wrong with that. People should be moving to DKIM because of the actual advantages, not because of that sort of artificial pressure on them, I think. Requiring DKIM before setting up an FBL or a red carpet seems a more reasonable sort of pressure for an ISP to apply, should they feel so inclined. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
Yes the reputation of the domain override things, but what happens when it is the first time a domain is seen? Does DKIM help or not? Also, I'm thinking in terms of points like for spammassin. Seeing some patterns in the email increase or lower the points. I don't think a whole reputation judgement would be done on DKIM alone, unless the email is proven forged by DKIM but we are not there yet as ADSP is not widely spread nor adopted. - Original Message - From: Steve Atkins st...@wordtothewise.com To: DKIM WG ietf-dkim@mipassoc.org Sent: Saturday, 1 August, 2009 11:17:29 AM GMT +12:00 Fiji Subject: Re: [ietf-dkim] DKIM adoption On Jul 31, 2009, at 3:22 PM, Franck Martin wrote: Looking at DKIM adoption. I have seen statements that some mailers will do DKIM based reputation if available, but I have yet to see a statement as either: -an email not signed with DKIM will have its reputation lowered (less likely to pass filters) -an email signed with DKIM will have its reputation increased (more likely to pass filters) I think if there were some postmasters making such statement it would boost the adoption of DKIM. I doubt that either is true, though. A DKIM signature allows you to acquire increased or decreased reputation based on the history of that signing token. If I've never seen that token before, or I've seen bad behaviour associated with that token, it's not going to increase the reputation of the email (not in any sane mail filtering system anyway). Conversely, if I see unsigned mail coming in from an IP address that's sent great mail forever, I'm not going to decimate the mail stream just to encourage DKIM adoption. Might there be a grey area where the existence of a DKIM signature just pushes it over the edge? Maybe, but it's going to be a pretty small grey area. I think stating that some postmasters are moving to domain based reputation is just encouraging the status quo of not DKIM signing to stay in IP based reputation. And there's nothing wrong with that. People should be moving to DKIM because of the actual advantages, not because of that sort of artificial pressure on them, I think. Requiring DKIM before setting up an FBL or a red carpet seems a more reasonable sort of pressure for an ISP to apply, should they feel so inclined. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On Jul 31, 2009, at 5:51 PM, Franck Martin wrote: Yes the reputation of the domain override things, but what happens when it is the first time a domain is seen? Does DKIM help or not? If there's no DKIM, then there's not really any obvious domain to be talking about when it comes to reputation, so I don't think that's a question that makes sense (at least not without more details as to what you mean by seeing a domain). Also, I'm thinking in terms of points like for spammassin. Seeing some patterns in the email increase or lower the points. I don't think a whole reputation judgement would be done on DKIM alone, Not all the time, no. But if the domain token attached to the message via DKIM is on a whitelist, or if there's a significant positive history, then it's quite likely that the DKIM based reputation would override other measures (and would likely be used to short circuit analysis to avoid expensive content-based work). unless the email is proven forged by DKIM but we are not there yet as ADSP is not widely spread nor adopted. Yup. That's probably out of scope for this discussion, anyway. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On Sat, 1 Aug 2009 12:51:01 +1200 (FJT) Franck Martin fra...@genius.com wrote: Yes the reputation of the domain override things, but what happens when it is the first time a domain is seen? Does DKIM help or not? It can't. Also, I'm thinking in terms of points like for spammassin. Seeing some patterns in the email increase or lower the points. Some of the people involved early in the SPF project had the same idea. It did encourage spaammer to adopt it, but it also had a big backlash after people noticed spammers could publish SPF record just fine and the positive points were just helping spammers. I don't suggest a repeat. Scott K ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
Franck Martin wrote: Yes the reputation of the domain override things, but what happens when it is the first time a domain is seen? Does DKIM help or not? Does the presence of a signature provide any objective data about the goodness or badness of the signer? If the claim is that it does, there needs to be an explanation of the basis, because I don't see it. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
I was curious by Scott comment re SPF. Is there a class of spam that cannot get a DKIM signature? I would think botnets would be that class, as they usually infect computers and not sure they could DKIM sign as it would require them to set a DNS entry too. Knowing that botnets are 70% of spam, if DKIM could solve this one it would be great. so my question to add to your question Does the presence of a signature provide any objective data about the goodness or badness of the signer? is: is there a class of spam that cannot get a DKIM signature? - Original Message - From: Dave CROCKER d...@dcrocker.net To: Franck Martin fra...@genius.com Cc: DKIM WG ietf-dkim@mipassoc.org Sent: Saturday, 1 August, 2009 4:04:28 PM GMT +12:00 Fiji Subject: Re: [ietf-dkim] DKIM adoption Franck Martin wrote: Yes the reputation of the domain override things, but what happens when it is the first time a domain is seen? Does DKIM help or not? Does the presence of a signature provide any objective data about the goodness or badness of the signer? If the claim is that it does, there needs to be an explanation of the basis, because I don't see it. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] DKIM adoption
On Jul 31, 2009, at 9:17 PM, Franck Martin wrote: I was curious by Scott comment re SPF. Is there a class of spam that cannot get a DKIM signature? I would think botnets would be that class, as they usually infect computers and not sure they could DKIM sign as it would require them to set a DNS entry too. Knowing that botnets are 70% of spam, if DKIM could solve this one it would be great. This is trivial for botnets to do. Apart from the obvious ways, many botnets already run DNS. so my question to add to your question Does the presence of a signature provide any objective data about the goodness or badness of the signer? is: is there a class of spam that cannot get a DKIM signature? It says that the software generating the email was written at some point after 2007. Which is a data point, but not a terribly useful one. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html