Re: [ietf-dkim] MLMs and signatures again
On 26 May 2011, at 23:19, Steve Atkins wrote: That's relying on an awful lot of vaporware in the MUA, orthogonal to any sort of authentication. I don't think any MUAs really track sender reputation in any way[1]. Certainly Outlook with Exchange does. If you mark a message as spam, then you'll find future messages from the same sender will likely end up being delivered to your spam mailbox. -- Ian Eiloart Postmaster, University of Sussex +44 (0) 1273 87-3148 ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Scott Kitterman Sent: Thursday, May 26, 2011 8:36 PM To: ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] MLMs and signatures again On Thursday, May 26, 2011 07:40:17 PM Murray S. Kucherawy wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of MH Michael Hammer (5304) Sent: Thursday, May 26, 2011 4:15 PM To: Scott Kitterman; ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] MLMs and signatures again The other piece of the equation is how often do I see abusive mail purporting to be from this domain with no signature while mail from this domain that is normally signed has no significant problems. I posted the results of some research on that very question earlier this week: http://mipassoc.org/pipermail/ietf-dkim/2011q2/016656.html My experience is it varies a lot by domain. Some domains are phishing targets and some aren't. If it's not a phishing target DKIM doesn't matter much either way. If it is, then if they can manage to sign all their outbound mail signed/not signed gets to be useful. So I don't think looking at global status is a very useful basis for deciding the question. Scott K Remember, it's not static, it's dynamic. What was a non-phished domain yesterday could be a phished domain today or tomorrow. DKIM isn't a magic bullet, it's one more tool in the toolbox. I've found that in combination with SPF it works very nicely on double fail and none/fail as far as catching badness with very little impact on legitimate mail. Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On 26/May/11 23:52, Murray S. Kucherawy wrote: From: On Behalf Of Franck Martin 2) do we need a mechanism to alert the receiving MTA that you have subscribed to a mailing list, and all messages should pass through? Yes, desperately. Certainly a possible feature, but it seems like it won't scale very well. Why not? Of course, having a copy of each subscription record would roughly double the database, globally. Twice is scalable, though. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
2) do we need a mechanism to alert the receiving MTA that you have subscribed to a mailing list, and all messages should pass through? Yes, desperately. Certainly a possible feature, but it seems like it won't scale very well. Why not? If I were a spammer, I would tell the victim's MTA that the victim subscribed, then send the spam. These days most subscriptions are entered on a web page, and if you're lucky the mailer will send a confirmation message with a URL that sends the subscriber back to the web page. Where's the MTA going to get the subscriber info? The challenges in designing a protocol that neither makes unreasonable demands on users and MUAs nor is easily spoofed by hostile mailers seem insurmountable to me. If you're planning to keep a reputation database of mailers who send credible subscription announcements, why not just whitelist their mail? Since as far as I know nobody does this, it's a resarch topic, so I've directed replies to the ASRG. See you there. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Alessandro Vesely Sent: Friday, May 27, 2011 9:08 AM To: ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] MLMs and signatures again Certainly a possible feature, but it seems like it won't scale very well. Why not? Of course, having a copy of each subscription record would roughly double the database, globally. Twice is scalable, though. An automated system to monitor mail flows to figure out lists to which users have subscribed or unsubscribed can't scale unless there are standards around how to do that, and everyone participates. That's a high bar to set. A manual system requires users to register lists they join or depart. That's bound to be increasingly inaccurate over time. And if every Gmail user subscribes to just two lists, that's an awfully large number of relationships to track and check on each message transiting their MTAs. I could be wrong, but it sounds like a nightmare. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Hector Santos Sent: Thursday, May 26, 2011 10:44 PM To: ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] MLMs and signatures again This sounds like you are missing a point here. And what point is that? But it might help to know a general makeup of the volume collection you have from the standpoint if it was already pre-filtered. I guess you won't readily know that without asking your contributors, but it would be good know what level, if any, filtering was already done. All reporting sites are doing at least some RBL filtering, and all spam/not-spam flags are Spamassassin verdicts plus a few user-provided verdicts thrown in. For your collection analysis, you will need a majority of the system with always accept first operations so that you can get the large spectrum of bad vs good mail. Then you will need a criteria for what is considered bad. I think that's unnecessary. If we can assume our reporting sites are typical, then the results are typically meaningful. It just means the results have to be taken in the same context in which the data were collected, which seems reasonable to me. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
John R. Levine wrote: These days most subscriptions are entered on a web page, and if you're lucky the mailer will send a confirmation message with a URL that sends the subscriber back to the web page. Where's the MTA going to get the subscriber info? See below The challenges in designing a protocol that neither makes unreasonable demands on users and MUAs nor is easily spoofed by hostile mailers seem insurmountable to me. If you're planning to keep a reputation database of mailers who send credible subscription announcements, why not just whitelist their mail? Does this include blacklisting the not credible? Since as far as I know nobody does this, it's a resarch topic, so I've directed replies to the ASRG. See you there. Lets see if my MTA gets the non-subscriber info/notification with a target that includes the address you directed replies to. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
MH Michael Hammer (5304) wrote: Remember, it's not static, it's dynamic. What was a non-phished domain yesterday could be a phished domain today or tomorrow. DKIM isn't a magic bullet, it's one more tool in the toolbox. I've found that in combination with SPF it works very nicely on double fail and none/fail as far as catching badness with very little impact on legitimate mail. What sort of phishing are we talking about? Identities or the context? -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
Hector Santos wrote: John R. Levine wrote: These days most subscriptions are entered on a web page, and if you're lucky the mailer will send a confirmation message with a URL that sends the subscriber back to the web page. Where's the MTA going to get the subscriber info? See below Since as far as I know nobody does this, it's a resarch topic, so I've directed replies to the ASRG. See you there. Lets see if my MTA gets the non-subscriber info/notification with a target that includes the address you directed replies to. Here we go, the MTA automation is possible. Reject Message: Cut here Subject: Re: [ietf-dkim] MLMs and signatures again Date: Fri, 27 May 2011 12:56:41 -0700 From: asrg-ow...@irtf.org To: hsan...@isdg.net You are not allowed to post to this mailing list, and your message has been automatically rejected. If you think that your messages are being rejected in error, contact the mailing list owner at asrg-ow...@irtf.org. Reject Message: Cut here -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
Hector Santos wrote: MH Michael Hammer (5304) wrote: Remember, it's not static, it's dynamic. What was a non-phished domain yesterday could be a phished domain today or tomorrow. DKIM isn't a magic bullet, it's one more tool in the toolbox. I've found that in combination with SPF it works very nicely on double fail and none/fail as far as catching badness with very little impact on legitimate mail. What sort of phishing are we talking about? Identities or the context? This is what I see in today's log or malicious spoofing and phishing of our three main domains (all rejected). From: Rolex.com hec...@santronics.com From: announceme...@santronics.com From: sa...@santronics.com From: Rolex.com hsan...@santronics.com From: Rolex.com usiqb...@santronics.com From: Rolex.com hec...@santronics.com From: Rolex.com johnsmith...@santronics.com From: Rolex.com andrea.san...@santronics.com From: Rolex.com jua...@winserver.com From: Rolex.com powersgilh...@winserver.com From: andy.armstr...@winserver.com From: Rolex.com andrew.al...@winserver.com From: Rolex.com hec...@winserver.com From: Rolex.com huddlestonlu...@winserver.com From: floydjj...@winserver.com From: Rolex.com hurstfwrf...@winserver.com From: floydjj...@winserver.com From: samuel.mang...@winserver.com From: ildefo...@winserver.com From: Rolex.com michael.a@winserver.com From: Rolex.com samuel.mang...@winserver.com From: Rolex.com guawaldemarwalde...@winserver.com From: Rolex.com matt.rineh...@winserver.com From: Rolex.com hurstfwrf...@winserver.com From: codeproj...@winserver.com From: Rolex.com h...@winserver.com From: Rolex.com h...@winserver.com From: Rolex.com john.kl...@winserver.com From: Rolex.com joshua.saund...@winserver.com From: xml-...@winserver.com From: chris.shuema...@winserver.com From: aaron.de.br...@winserver.com From: Rolex.com hurstfwrf...@winserver.com From: Rolex.com jeremiah.ragsd...@winserver.com From: Rolex.com hsan...@isdg.net Note the common sender using rolex.com user id part and I noticed the ones that don't have this, all of them where also from the rolex.com spammer. So this just boils down to one spammer today doing this. None of them were DKIM signed, but they would of been rejected as non-signed if the logic was enabled to reject on a failed ADSP. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On May 26, 2011, at 12:02 PM, Murray S. Kucherawy wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of John R. Levine Sent: Thursday, May 26, 2011 6:40 AM To: Ian Eiloart Cc: DKIM List Subject: Re: [ietf-dkim] DKIM Scouts, was 8bit downgrades Mailing lists have worked quite well for 40 years with no signatures at all, making all sorts of random changes to the mail, so it has to be something more than that. Applying the same logic: Email in general has been fine without DKIM for 40 years, so why do we need it? Thinking in abstract terms: If you accept the premise that DKIM delivers a validated domain name as its payload, and that domain name represents an ADMD that takes some responsibility for a message, then it's not clear to me why one would claim it's not valuable to have two responsible parties instead of just one. You can then evaluate both of those names and decide if either of them, or perhaps the combination of them, warrant additional filtering or, instead, priority handling. The question really is: How valuable is this? Or put another way: Is it worth the work to make the two identities available instead of only that of the MLM? I suspect the answer is yes as it can only improve your accuracy. The only remaining issue is how hard it will be to make that happen, and whether or not the payoff is big enough to offset the pain. That, I think, is the real thing that needs to be evaluated. In my experience with traditional discussion MLMs (which is the situation we're talking about) if I trust the MLM, I generally don't care about who the participants are. While you're absolutely right that in this case having identities of two responsible parties (original author and MLM) is more valuable than one (MLM). But I think the increase in value is somewhere between marginal and negligible, so unless it comes for free it's probably not that interesting to try and do. And when we're talking about DKIM identities it's definitely not something that will be easy to do (it may not even be possible without seriously compromising either DKIM's promises or an MLMs usability). Now, those are abstract terms. When argued in terms of passing an author signature through an MLM given modern realities, it does indeed sound like it's not worthwhile, because in that particular context you're not likely to see the stuff you want to filter coming via such paths in the first place. But now invert that thinking. Let's say your domain manages to acquire a positive reputation, but now you and I are on a re-signing MLM whose domain has no reputation or maybe even a slightly negative one. Your reputation could trump that of the list, or could improve that of the list by your participation in it, at least from my perspective. But for that to happen, your signature has to survive. The value of traditional MLMs is the discussion, rather than the individual post. The quantum of value is the thread, rather than the email. If the reputation of the MLM is poor enough that mail from it is not being delivered, trumping that with an authors reputation may get individual emails delivered - but not threads, so it doesn't really improve the value provided to the recipient (it probably decreases it - a mailing list that delivers one in ten posts to my inbox is less useful than one that delivers none at all). I don't think that's a concept that should be discarded out of hand just because MLMs have been the way they are for a long time and they're in the way of such innovations. Updating them even a little might enable a host of useful new applications. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Steve Atkins Sent: Thursday, May 26, 2011 12:21 PM To: DKIM List Subject: Re: [ietf-dkim] MLMs and signatures again In my experience with traditional discussion MLMs (which is the situation we're talking about) if I trust the MLM, I generally don't care about who the participants are. Good, that's useful data. If the reputation of the MLM is poor enough that mail from it is not being delivered, trumping that with an authors reputation may get individual emails delivered - but not threads, so it doesn't really improve the value provided to the recipient (it probably decreases it - a mailing list that delivers one in ten posts to my inbox is less useful than one that delivers none at all). Perhaps an MLM's reputation is pulled up or down as the average of those of its participants, so if the MLM can attract good senders, suddenly entire threads start getting through. But that would only be possible with signature survival. I don't know, I'm mostly brainstorming here. The abstract idea seems reasonable but the MLM instance of it carries with it so much baggage that it's perhaps the worst possible example. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On May 26, 2011, at 1:13 PM, Franck Martin wrote: On 5/26/11 12:21 , Steve Atkins st...@wordtothewise.com wrote: In my experience with traditional discussion MLMs (which is the situation we're talking about) if I trust the MLM, I generally don't care about who the participants are. True, but the system in charge of delivering the email to your mailbox, does not know about this trust. So how can we infer you have given this trust to the mailing list? Is your trust the same as some other person? The mailing list needs to build and maintain a good reputation, just the same as any other source of email. That I, the final recipient, trust it and want the mail it sends will help it do that. So the receiving MTA, sees messages with List-id: headers in direction to your mailbox. What it shall do? The Receiving MTA does not usually know you have subscribed to the mailing list... Nor does it care. If I signed up for a mailing list, I'm going to want to receive email from it. I'm not going to report it as spam, I'm going to go looking for missing mails (especially the initial COI challenge) in my spam folder. All this behaviour will give the mailing list manager a good reputation with my ISP. Similar behaviour by other recipients will also give it a good reputation, all tied to the DKIM d= value. This isn't a special case - it's just incoming email that's coming from a sender with a good reputation, tied to the MLMs d= token. 1) as Murray says, It can infer it has to deliver (or not) the email based on other participants reputation to build a list reputation? side note: Eh. If the signature of a particular sender happens to survive, and that sender happens to have a better reputation than that of the list then it might make some difference. It's not something I'd actually try and do, though. do mail receivers treat mailing list differently than any other emails? Generally not, I don't think, though MUAs do. 2) do we need a mechanism to alert the receiving MTA that you have subscribed to a mailing list, and all messages should pass through? Quite possibly, but that's really not DKIM related at all, more of an MUA design decision. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: John R. Levine [mailto:jo...@iecc.com] Sent: Thursday, May 26, 2011 1:29 PM To: Murray S. Kucherawy Cc: DKIM List Subject: Re: [ietf-dkim] MLMs and signatures again If anyone's claiming that contributors' DKIM signatures on list mail are important, a good start would be to look at how PGP and S/MIME signatures have been treated during the many years they've been in use. I don't see any harm in experiments like having an MLM adding a signed A-R header to the mail, since it doesn't break anything that works now, but I would want rather concrete evidence from anyone claiming that people pay any more attention than they do to S/MIME signatures now. There are parties that want to do that experiment because they see potential in it. (In fact they're doing it now through a non-standard hack; I need to ask them for results.) What would probably be helpful is some decent description from them of why they think it's valuable and how they plan to use it. You're absolutely right that nobody's cared up until now, but I'm not as sure as you are that this makes the question utterly uninteresting. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On 5/26/2011 1:29 PM, John R. Levine wrote: In my experience, the reputation of the list is unrelated to the reputation of its participants. Given how little DKIM-related reputation work has been done, deployed and heavily used so far, perhaps we should all be a bit cautious about taking existing practices and treating them as definitive of future needs and uses. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On 5/26/11 12:21 , Steve Atkins st...@wordtothewise.com wrote: On May 26, 2011, at 12:02 PM, Murray S. Kucherawy wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of John R. Levine Sent: Thursday, May 26, 2011 6:40 AM To: Ian Eiloart Cc: DKIM List Subject: Re: [ietf-dkim] DKIM Scouts, was 8bit downgrades Mailing lists have worked quite well for 40 years with no signatures at all, making all sorts of random changes to the mail, so it has to be something more than that. Applying the same logic: Email in general has been fine without DKIM for 40 years, so why do we need it? Thinking in abstract terms: If you accept the premise that DKIM delivers a validated domain name as its payload, and that domain name represents an ADMD that takes some responsibility for a message, then it's not clear to me why one would claim it's not valuable to have two responsible parties instead of just one. You can then evaluate both of those names and decide if either of them, or perhaps the combination of them, warrant additional filtering or, instead, priority handling. The question really is: How valuable is this? Or put another way: Is it worth the work to make the two identities available instead of only that of the MLM? I suspect the answer is yes as it can only improve your accuracy. The only remaining issue is how hard it will be to make that happen, and whether or not the payoff is big enough to offset the pain. That, I think, is the real thing that needs to be evaluated. In my experience with traditional discussion MLMs (which is the situation we're talking about) if I trust the MLM, I generally don't care about who the participants are. True, but the system in charge of delivering the email to your mailbox, does not know about this trust. So how can we infer you have given this trust to the mailing list? Is your trust the same as some other person? So the receiving MTA, sees messages with List-id: headers in direction to your mailbox. What it shall do? The Receiving MTA does not usually know you have subscribed to the mailing list... 1) as Murray says, It can infer it has to deliver (or not) the email based on other participants reputation to build a list reputation? side note: do mail receivers treat mailing list differently than any other emails? 2) do we need a mechanism to alert the receiving MTA that you have subscribed to a mailing list, and all messages should pass through? ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
Steve Atkins wrote: In my experience with traditional discussion MLMs (which is the situation we're talking about) if I trust the MLM, I generally don't care about who the participants are. If by traditional, you mean the members are vetted with subscription and confirmation, then this tends to be true. But when not, when the list or any group forum is anonymous in nature, history has told us its get corrupted with junk and most people tend to dislike it. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On May 26, 2011, at 1:50 PM, Hector Santos wrote: Steve Atkins wrote: In my experience with traditional discussion MLMs (which is the situation we're talking about) if I trust the MLM, I generally don't care about who the participants are. If by traditional, you mean the members are vetted with subscription and confirmation, then this tends to be true. But when not, when the list or any group forum is anonymous in nature, history has told us its get corrupted with junk and most people tend to dislike it. In that case the reputation of the MLM is poor, and I don't want to receive email from it. I still don't care about who the participants are. The idea that people might sign up for a mailing list full of junk, and hope that their spam filters / reputation engine will magically pull the occasional gem out of it seems pretty unlikely. And that's the premise behind there being value in tracking the reputation of original authors in the case of their email being re-sent by a MLM. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
Steve Atkins wrote: On May 26, 2011, at 1:50 PM, Hector Santos wrote: If by traditional, you mean the members are vetted with subscription and confirmation, then this tends to be true. But when not, when the list or any group forum is anonymous in nature, history has told us its get corrupted with junk and most people tend to dislike it. In that case the reputation of the MLM is poor, and I don't want to receive email from it. I still don't care about who the participants are. But it is the participants that make up the quality of the public discussion group. Sure, you're point is clear that you may not pay attention to the individuals. But others do. For the most part, most people will agree Google is a good intention and reputable company, not out to harm people, etc. But do we always trust all their google groups because it was signed by google? I don't think so. In my opinion, its more about the particular list of interest one has and its make up of people that make it a quality discussion group. You (speaking in general) selected the list you wanted, so it should go without saying you like and trust the list. Does certification change that? Sounds more like an marketing issue: Join our discussing list. Approved by VeriSign as a Trusted List Vendor! I think the focus has been lost because the real problem is how to deal with the unknowns signer. We are trying to figure out a way to get a 3rd party to vouch for them - a 3rd party you always trust. I don't think DKIM changes much of one already subscribe to a list that he has interest in. Now, if you were to say: I only will accept list mail when its signed because I expect it to be signed and anything else not signed purported to be by the list I will not accept or ignore. Then we are talking about something else. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
Franck Martin wrote: So the receiving MTA, sees messages with List-id: headers in direction to your mailbox. What it shall do? The Receiving MTA does not usually know you have subscribed to the mailing list... 1) as Murray says, It can infer it has to deliver (or not) the email based on other participants reputation to build a list reputation? side note: do mail receivers treat mailing list differently than any other emails? Yes, it is auto white listed for acceptance. In other words, when the client issues: RCPT TO: list-name @ list-host.com it will checked as an normal user (alias) and accepted. 2) do we need a mechanism to alert the receiving MTA that you have subscribed to a mailing list, and all messages should pass through? Normally, once it accepted (1st question via RCPT TO:), then the mail is pass to a list server and it will check for member subscription. I guess if the RECEIVER is a List Server SMTP Server, then its database will be easily accessible to do a member check at SMTP level. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Franck Martin Sent: Thursday, May 26, 2011 1:13 PM To: Steve Atkins; DKIM List Subject: Re: [ietf-dkim] MLMs and signatures again side note: do mail receivers treat mailing list differently than any other emails? That's a local policy question. Personally, I don't know of any that do. 2) do we need a mechanism to alert the receiving MTA that you have subscribed to a mailing list, and all messages should pass through? Certainly a possible feature, but it seems like it won't scale very well. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On 5/26/11 14:48 , Hector Santos hsan...@isdg.net wrote: Franck Martin wrote: So the receiving MTA, sees messages with List-id: headers in direction to your mailbox. What it shall do? The Receiving MTA does not usually know you have subscribed to the mailing list... 1) as Murray says, It can infer it has to deliver (or not) the email based on other participants reputation to build a list reputation? side note: do mail receivers treat mailing list differently than any other emails? Yes, it is auto white listed for acceptance. In other words, when the client issues: RCPT TO: list-name @ list-host.com it will checked as an normal user (alias) and accepted. I meant as a receiver of mailing list email, does your MTA do something special when it sees the List-id: header? ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On May 26, 2011, at 2:53 PM, Murray S. Kucherawy wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Steve Atkins Sent: Thursday, May 26, 2011 2:10 PM To: DKIM List Subject: Re: [ietf-dkim] MLMs and signatures again In that case the reputation of the MLM is poor, and I don't want to receive email from it. I still don't care about who the participants are. The idea that people might sign up for a mailing list full of junk, and hope that their spam filters / reputation engine will magically pull the occasional gem out of it seems pretty unlikely. And that's the premise behind there being value in tracking the reputation of original authors in the case of their email being re-sent by a MLM. Let's say I route all traffic from list X to its own separate mailbox, but I also want my MUA to flag for special attention mail sent to that list by people I hold in high regard, for example, and I want that to be based on their accumulated reputations. That's relying on an awful lot of vaporware in the MUA, orthogonal to any sort of authentication. I don't think any MUAs really track sender reputation in any way[1]. I either have to base that on something forgeable like From:, or on something reliable like d=. That doesn't seem magical to me. Well, d= won't identify the original sender at all, in the case of individuals sending to a mailing list. It'll identify the domain of their ISP, nothing more. It's a bit of a contrived example, but right now I would have to maintain that list manually; it would be nice to have it done automatically based on feedback I provide to a reputation system. Tunneling DKIM signatures through MLMs doesn't seem to be the missing bit of technology needed to do this. If the MLM signs any email it sends then you have some level of trust in any information it annotates the mail with. *If* it were possible to identify the original email author in some way (S/MIME, PGP, some private shared secret approach) the MLM could annotate the mail with that information, and you could trust it enough to filter on. If the MLM doesn't have enough information to identify the original email author, it's unlikely you do either - whether there's a second DKIM signature or not. Cheers, Steve [1] It's something that'd be useful, though - it's been on my TODO list for about two years to add exactly this to our CRM system, via end-user thumbs-up / thumbs-down buttons. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
Let's say I route all traffic from list X to its own separate mailbox, but I also want my MUA to flag for special attention mail sent to that list by people I hold in high regard, for example, and I want that to be based on their accumulated reputations. I either have to base that on something forgeable like From:, or on something reliable like d=. That doesn't seem magical to me. In my experience, if a mailing list is worth delivering at all, the addresses on the From: line are plenty reliable for bozo or anti-bozo filtering, and don't require an extra magic step to decide whether the signature is sufficiently related to the author's address. A plan that expects every contributor to have a separate d= reputation domain seems pretty unlikely to work outside the lab. Maybe I'm not not imaginative enough, but all the scenarios for recipients using contributor signatures are either things we are doing already without signatures, or things that nobody has shown any interest in doing in the past several decades even though there were other ways to do them. I can think of some reasonable uses for contributor signatures at the MLM, e.g., skip the verification step for adds or removes if enough previous requests from the same signer were confirmed. But not for passing them through to the recipients. As I've said, I'm not opposed to experiments so long as they don't involve breaking things that work now. So adding a signed A-R is fine, removing signature tags and headers and footers is not. R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
In my experience, the reputation of the list is unrelated to the reputation of its participants. Given how little DKIM-related reputation work has been done, deployed and heavily used so far, perhaps we should all be a bit cautious about taking existing practices and treating them as definitive of future needs and uses. In case it wasn't clear, I wasn't referring to DKIM reputation. I whitelist mail from lists I'm subscribed to using List-ID or some other bits of stable header text. In theory evil people could forge them, in practice it's never been a problem. So having a DKIM signature to be the stable text would be nice, but wouldn't fundamentally change what I do already. R's, John ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Steve Atkins Sent: Thursday, May 26, 2011 3:20 PM To: DKIM List Subject: Re: [ietf-dkim] MLMs and signatures again That's relying on an awful lot of vaporware in the MUA, orthogonal to any sort of authentication. I don't think any MUAs really track sender reputation in any way[1]. It's not vapourware in general. Such feedback systems exist, and could easily be tied to DKIM domains. Well, d= won't identify the original sender at all, in the case of individuals sending to a mailing list. It'll identify the domain of their ISP, nothing more. Well, right. You'd be basing decisions on validated DKIM d= values. Tunneling DKIM signatures through MLMs doesn't seem to be the missing bit of technology needed to do this. If the MLM signs any email it sends then you have some level of trust in any information it annotates the mail with. Yes, and A-R provides a mechanism for doing that as well. It's mentioned in the MLM draft too. *If* it were possible to identify the original email author in some way (S/MIME, PGP, some private shared secret approach) the MLM could annotate the mail with that information, and you could trust it enough to filter on. If the MLM doesn't have enough information to identify the original email author, it's unlikely you do either - whether there's a second DKIM signature or not. Why the last part of that? [1] It's something that'd be useful, though - it's been on my TODO list for about two years to add exactly this to our CRM system, via end-user thumbs-up / thumbs-down buttons. We have that at Cloudmark, and there's an open one as well. I'm trying to figure out if and how such a system could be used when correlated with DKIM signatures. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
First, lets tune down the 40 years thing. What email list system was around in 1970? Its more like 26 years with ListServ (circa 1985) among the first and leading the way for the rest of the list server developers. There was, of course, list via X.400 but it was most of a CC like mailing list and that was more of exclusive entry - not for the public and I don't recall any real concerns about security other than being accused of being a SPY! When talking about the public, BBSes and Fidonet predated the Internet and the Fidonet Echo Networking technology was the closest thing to having network-based public groupware/discussions system. Before that, probably CompuServ offers ideas of public groupware discussion areas with there GO groups. We had GO XPRESS. You also have Prodigy with public discussion groups. But outside of these fee base dialups into X.25 networks, BBSes were among the first public way to have social group telecommunications. Anyway, needless to say, if DKIM was around even 50 years ago, or the idea of authenticated email was around, list system and the entire mail system would of taking on an entirely different path. We are arguing it now. I don't see why we would not be arguing about it back then if it was around. So all this about the the past is really a moot point. We have DKIM now, today, and it doesn't fit with list systems or any system that has a natural integrity breaking process. Unless all the list software and/or operators add Plug and Play hooks, to do the Always Resign thing you want, we will always have the problems for a very long time. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com John R. Levine wrote: Perhaps an MLM's reputation is pulled up or down as the average of those of its participants, so if the MLM can attract good senders, suddenly entire threads start getting through. But that would only be possible with signature survival. In my experience, the reputation of the list is unrelated to the reputation of its participants. For example, in my filters I deliver mail from this list directly into the inbox without content filtering, even though I discard mail sent directly from a few of the subscribers. With 40 years of experience with MLMs, a lot of experiments have already happened, and we should spend more time looking at the history rather than guessing what might happen under some hypothetical circumstances. For example, we don't have to do experiments to find out whether people want an MUA to distingish between signed and unsigned parts of a message. We've already had partially signed messages (like this one, if you get it through the list) for over a decade, and MUAs don't care. Either they don't see the signature at all (Thunderbird or Windows Live Mail), or they show the message without any particular distinction between the signed and unsigned parts (Evolution, Apple Mail, Alpine.) If anyone's claiming that contributors' DKIM signatures on list mail are important, a good start would be to look at how PGP and S/MIME signatures have been treated during the many years they've been in use. I don't see any harm in experiments like having an MLM adding a signed A-R header to the mail, since it doesn't break anything that works now, but I would want rather concrete evidence from anyone claiming that people pay any more attention than they do to S/MIME signatures now. Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
Murray S. Kucherawy wrote: Franck Martin side note: do mail receivers treat mailing list differently than any other emails? That's a local policy question. Personally, I don't know of any that do. Almost all SMTP receivers that have an acceptable table and if the operator has a separate list server running on the system, the list server can use this acceptance table to update it for the MTA server to use. Since RCPT TO checking is increasingly done, this is necessary otherwise the list address is unknown to the receiver. If the mail is accepted unchecked, then a post smtp processor also checks the table. It could also queue the mail for a list which the list server is eyeballing and it does the checking. 2) do we need a mechanism to alert the receiving MTA that you have subscribed to a mailing list, and all messages should pass through? Certainly a possible feature, but it seems like it won't scale very well. That is what was said in the past to not do RCPT TO checking. That changed with the advancements in hardware and Multi-threaded OSes. As you know, database lookups are darn fast and scale. The only reason we don't do it with our wcSMTP server and wcListServer is because the list server is sold separately and doesn't need our wcSMTP server. But an integrated database hook can be added. Probably the other reason is that we don't want to have an official SMTP reject, and want the list server to create a non-bounce notification. But I can see where this be a good idea to do now - SMTP level rejects with response text User not member of so and so list. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On May 26, 2011, at 3:24 PM, Murray S. Kucherawy wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Steve Atkins Sent: Thursday, May 26, 2011 3:20 PM To: DKIM List Subject: Re: [ietf-dkim] MLMs and signatures again That's relying on an awful lot of vaporware in the MUA, orthogonal to any sort of authentication. I don't think any MUAs really track sender reputation in any way[1]. It's not vapourware in general. Such feedback systems exist, and could easily be tied to DKIM domains. I don't think they exist at the MUA level, keyed on senders. I'd be interested to hear about them if they do. (There are bunches of end-user visible reputation systems that have UI in the MUA, of course, but they don't track reputation on a per-end-user basis, rather they feed end-user perception into a shared reputation system). Well, d= won't identify the original sender at all, in the case of individuals sending to a mailing list. It'll identify the domain of their ISP, nothing more. Well, right. You'd be basing decisions on validated DKIM d= values. Which isn't good enough to differentiate between c...@aol.com and hec...@aol.com. If Hector starts forging his From: address to pretend to be Cleo, DKIM doesn't help me at all. If he doesn't then I'm probably fine just keying on Cleo's From: field. Tunneling DKIM signatures through MLMs doesn't seem to be the missing bit of technology needed to do this. If the MLM signs any email it sends then you have some level of trust in any information it annotates the mail with. Yes, and A-R provides a mechanism for doing that as well. It's mentioned in the MLM draft too. *If* it were possible to identify the original email author in some way (S/MIME, PGP, some private shared secret approach) the MLM could annotate the mail with that information, and you could trust it enough to filter on. If the MLM doesn't have enough information to identify the original email author, it's unlikely you do either - whether there's a second DKIM signature or not. Why the last part of that? It's going to be a rare case where the final recipient can reliably authenticate the original author of the email, while the MLM can't. (There are exceptions - but if a cooperating group of people are using untrusted infrastructure to communicate, they're not going to be relying on DKIM, rather they're going to be living on paranoia, cigarettes and OpenGPG). Normally, if you can authenticate the original author then the MLM can do so just as well, so you can reliably route email based on metadata added by the MLM, rather than having to independently authenticate the original author yourself. Cheers, Steve ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On Thursday, May 26, 2011 03:21:19 PM Steve Atkins wrote: If the reputation of the MLM is poor enough that mail from it is not being delivered, trumping that with an authors reputation may get individual emails delivered - but not threads, so it doesn't really improve the value provided to the recipient (it probably decreases it - a mailing list that delivers one in ten posts to my inbox is less useful than one that delivers none at all). I think this has it rather backwards. If mail From (body From) a certain domain arrives 999 time with a valid DKIM signature and on the 1,000th time it arrives with either no signature or a broken one, then that's a negative anomaly in the mail stream that receivers are quite likely to take notice of. While ADSP is the public whipping boy for this, there are plenty of private efforts based on doing exactly this. The question isn't do I trust the ML or not. For domains with a non-trivial number of users the overall mail system will have no idea about what ML should be trusted or not. The question is how harshly do I treat this message based on the lack of a good signature. Scott K ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Steve Atkins Sent: Thursday, May 26, 2011 3:47 PM To: DKIM List Subject: Re: [ietf-dkim] MLMs and signatures again It's not vapourware in general. Such feedback systems exist, and could easily be tied to DKIM domains. I don't think they exist at the MUA level, keyed on senders. I'd be interested to hear about them if they do. (There are bunches of end-user visible reputation systems that have UI in the MUA, of course, but they don't track reputation on a per-end-user basis, rather they feed end-user perception into a shared reputation system). Whether the reputation is made visible as a property in the UI versus in the accept/reject/discard decision at delivery time isn't an important distinction, is it? ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Scott Kitterman Sent: Thursday, May 26, 2011 7:07 PM To: ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] MLMs and signatures again On Thursday, May 26, 2011 03:21:19 PM Steve Atkins wrote: If the reputation of the MLM is poor enough that mail from it is not being delivered, trumping that with an authors reputation may get individual emails delivered - but not threads, so it doesn't really improve the value provided to the recipient (it probably decreases it - a mailing list that delivers one in ten posts to my inbox is less useful than one that delivers none at all). I think this has it rather backwards. If mail From (body From) a certain domain arrives 999 time with a valid DKIM signature and on the 1,000th time it arrives with either no signature or a broken one, then that's a negative anomaly in the mail stream that receivers are quite likely to take notice of. While ADSP is the public whipping boy for this, there are plenty of private efforts based on doing exactly this. The question isn't do I trust the ML or not. For domains with a non- trivial number of users the overall mail system will have no idea about what ML should be trusted or not. The question is how harshly do I treat this message based on the lack of a good signature. Scott K The other piece of the equation is how often do I see abusive mail purporting to be from this domain with no signature while mail from this domain that is normally signed has no significant problems. Mike ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of MH Michael Hammer (5304) Sent: Thursday, May 26, 2011 4:15 PM To: Scott Kitterman; ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] MLMs and signatures again The other piece of the equation is how often do I see abusive mail purporting to be from this domain with no signature while mail from this domain that is normally signed has no significant problems. I posted the results of some research on that very question earlier this week: http://mipassoc.org/pipermail/ietf-dkim/2011q2/016656.html ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On Thursday, May 26, 2011 07:15:25 PM MH Michael Hammer (5304) wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim- boun...@mipassoc.org] On Behalf Of Scott Kitterman Sent: Thursday, May 26, 2011 7:07 PM To: ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] MLMs and signatures again On Thursday, May 26, 2011 03:21:19 PM Steve Atkins wrote: If the reputation of the MLM is poor enough that mail from it is not being delivered, trumping that with an authors reputation may get individual emails delivered - but not threads, so it doesn't really improve the value provided to the recipient (it probably decreases it - a mailing list that delivers one in ten posts to my inbox is less useful than one that delivers none at all). I think this has it rather backwards. If mail From (body From) a certain domain arrives 999 time with a valid DKIM signature and on the 1,000th time it arrives with either no signature or a broken one, then that's a negative anomaly in the mail stream that receivers are quite likely to take notice of. While ADSP is the public whipping boy for this, there are plenty of private efforts based on doing exactly this. The question isn't do I trust the ML or not. For domains with a non- trivial number of users the overall mail system will have no idea about what ML should be trusted or not. The question is how harshly do I treat this message based on the lack of a good signature. Scott K The other piece of the equation is how often do I see abusive mail purporting to be from this domain with no signature while mail from this domain that is normally signed has no significant problems. True. That could be a factor as well. Scott K ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
MH Michael Hammer (5304) wrote: The other piece of the equation is how often do I see abusive mail purporting to be from this domain with no signature while mail from this domain that is normally signed has no significant problems. That's an exclusive reject opportunistic question. In other words, if I turn off my SMTP level rejects for all of our domain abuse, would DKIM take up that slack? I'm going to do a quick scan just for today's log where we rejected mail purported to be from our domains us, santronics.com, winserver.com, isdg.net. Remember, this is just today (May 26, 2011) and so far its 8PM EST: MAIL FROM: sy...@santronics.com MAIL FROM: cs...@santronics.com MAIL FROM: barnardryc...@santronics.com MAIL FROM: samtron...@santronics.com MAIL FROM: ayalawe...@santronics.com MAIL FROM: andrea@santronics.com MAIL FROM: mdnf_mvto_x_...@santronics.com MAIL FROM: kpbh_yrsz_w_...@santronics.com MAIL FROM: carvera...@santronics.com MAIL FROM: jsanch...@santronics.com MAIL FROM: cent.cor...@santronics.com MAIL FROM: carvera...@santronics.com MAIL FROM: cent.cor...@santronics.com MAIL FROM: an...@santronics.com MAIL FROM: elkinsnw...@santronics.com MAIL FROM: nounceme...@santronics.com MAIL FROM: nw...@santronics.com MAIL FROM: a...@santronics.com MAIL FROM: sa...@santronics.com MAIL FROM: huddlestonlu...@winserver.com MAIL FROM: don.dun...@winserver.com MAIL FROM: the.sha...@winserver.com MAIL FROM: daungar...@winserver.com MAIL FROM: tiff...@winserver.com MAIL FROM: dcb07...@winserver.com MAIL FROM: sotooadb...@winserver.com MAIL FROM: earl.bo...@winserver.com MAIL FROM: brent.can...@winserver.com MAIL FROM: curtis.star...@winserver.com MAIL FROM:the.sha...@winserver.com MAIL FROM: d.atk...@winserver.com MAIL FROM: jo...@winserver.com MAIL FROM: daniel.j...@winserver.com MAIL FROM: as...@winserver.com MAIL FROM: codeproj...@winserver.com MAIL FROM: erkan.sal...@winserver.com MAIL FROM: a...@winserver.com MAIL FROM: andrew.al...@winserver.com MAIL FROM: andy.how...@winserver.com MAIL FROM: andy.armstr...@winserver.com MAIL FROM: chris.shuema...@winserver.com MAIL FROM: cj.har...@winserver.com MAIL FROM: jehanzeb.akh...@winserver.com MAIL FROM: jeremiah.ragsd...@winserver.com MAIL FROM: jua...@winserver.com MAIL FROM: pnep...@winserver.com MAIL FROM: powersgilh...@winserver.com MAIL FROM: justin.b...@winserver.com MAIL FROM: che.bol...@winserver.com MAIL FROM: disobedie...@winserver.com MAIL FROM: pnep...@winserver.com MAIL FROM: powersgilh...@winserver.com MAIL FROM: prison...@winserver.com MAIL FROM: earl.bo...@winserver.com MAIL FROM: curtis.star...@winserver.com MAIL FROM:curtis.star...@winserver.com MAIL FROM: regina...@winserver.com MAIL FROM: eric.ander...@winserver.com MAIL FROM: floydjj...@winserver.com MAIL FROM: erkan.sal...@winserver.com MAIL FROM: evan...@winserver.com MAIL FROM: fi...@winserver.com MAIL FROM: gdx...@winserver.com MAIL FROM: 4025237101.63576354344...@winserver.com MAIL FROM: floydjj...@winserver.com MAIL FROM: chris.shuema...@winserver.com MAIL FROM: nel...@isdg.net MAIL FROM: sbry...@isdg.net MAIL FROM: e...@isdg.net None of these are valid and they were all rejected via SPF and the same for fake HELO/EHLO domains. Now, since we now signing all these three domains, the question is, if they were checked at the DATA level using my DKIM+ADSP/ATPS/ACL setup reject them? Yes, 100%, I don't know if they were faked signers or they used 3rd party signers, or they were signed all, because they were accepted. But a DKIM policy that I have would of 100% rejected them all. This is partly the reason I didn't like Sender-ID because it was a RFC5322 payload technology and SPF did the job at the SMTP level. I had shown that over 82-84% of the time and it would been a waste in DATA overhead. I also feel that is why DKIM is having a hard time - SPF did a lot of damage to its purpose in life. In any case, we are not doing any REJECT/PASS handling based on DKIM yet, but I am going to try turning off SPF for my domains and see if I get the expected 100% would-be rejects based on DKIM and my ADSP policies. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
BTW, these are our May Rejections stats: http://www.winserver.com/public/antispam/stats/stats-2011-May.wct http://www.winserver.com/public/spamstats.wct (since 2003) The LMAP column is SPF and its been should a high +6% and I say high because only this year only has it been that high. Before that, it was in the 1-4% range. So if most of the 6% SPF rejects are spoof attempts on our domains, then I have no reason to believe that DKIM plus our ADSP/ATPS/ASL policies would not yield the same result. Hector Santos wrote: MH Michael Hammer (5304) wrote: The other piece of the equation is how often do I see abusive mail purporting to be from this domain with no signature while mail from this domain that is normally signed has no significant problems. That's an exclusive reject opportunistic question. In other words, if I turn off my SMTP level rejects for all of our domain abuse, would DKIM take up that slack? I'm going to do a quick scan just for today's log where we rejected mail purported to be from our domains us, santronics.com, winserver.com, isdg.net. Remember, this is just today (May 26, 2011) and so far its 8PM EST: MAIL FROM: sy...@santronics.com MAIL FROM: cs...@santronics.com MAIL FROM: barnardryc...@santronics.com MAIL FROM: samtron...@santronics.com MAIL FROM: ayalawe...@santronics.com MAIL FROM: andrea@santronics.com MAIL FROM: mdnf_mvto_x_...@santronics.com MAIL FROM: kpbh_yrsz_w_...@santronics.com MAIL FROM: carvera...@santronics.com MAIL FROM: jsanch...@santronics.com MAIL FROM: cent.cor...@santronics.com MAIL FROM: carvera...@santronics.com MAIL FROM: cent.cor...@santronics.com MAIL FROM: an...@santronics.com MAIL FROM: elkinsnw...@santronics.com MAIL FROM: nounceme...@santronics.com MAIL FROM: nw...@santronics.com MAIL FROM: a...@santronics.com MAIL FROM: sa...@santronics.com MAIL FROM: huddlestonlu...@winserver.com MAIL FROM: don.dun...@winserver.com MAIL FROM: the.sha...@winserver.com MAIL FROM: daungar...@winserver.com MAIL FROM: tiff...@winserver.com MAIL FROM: dcb07...@winserver.com MAIL FROM: sotooadb...@winserver.com MAIL FROM: earl.bo...@winserver.com MAIL FROM: brent.can...@winserver.com MAIL FROM: curtis.star...@winserver.com MAIL FROM:the.sha...@winserver.com MAIL FROM: d.atk...@winserver.com MAIL FROM: jo...@winserver.com MAIL FROM: daniel.j...@winserver.com MAIL FROM: as...@winserver.com MAIL FROM: codeproj...@winserver.com MAIL FROM: erkan.sal...@winserver.com MAIL FROM: a...@winserver.com MAIL FROM: andrew.al...@winserver.com MAIL FROM: andy.how...@winserver.com MAIL FROM: andy.armstr...@winserver.com MAIL FROM: chris.shuema...@winserver.com MAIL FROM: cj.har...@winserver.com MAIL FROM: jehanzeb.akh...@winserver.com MAIL FROM: jeremiah.ragsd...@winserver.com MAIL FROM: jua...@winserver.com MAIL FROM: pnep...@winserver.com MAIL FROM: powersgilh...@winserver.com MAIL FROM: justin.b...@winserver.com MAIL FROM: che.bol...@winserver.com MAIL FROM: disobedie...@winserver.com MAIL FROM: pnep...@winserver.com MAIL FROM: powersgilh...@winserver.com MAIL FROM: prison...@winserver.com MAIL FROM: earl.bo...@winserver.com MAIL FROM: curtis.star...@winserver.com MAIL FROM:curtis.star...@winserver.com MAIL FROM: regina...@winserver.com MAIL FROM: eric.ander...@winserver.com MAIL FROM: floydjj...@winserver.com MAIL FROM: erkan.sal...@winserver.com MAIL FROM: evan...@winserver.com MAIL FROM: fi...@winserver.com MAIL FROM: gdx...@winserver.com MAIL FROM: 4025237101.63576354344...@winserver.com MAIL FROM: floydjj...@winserver.com MAIL FROM: chris.shuema...@winserver.com MAIL FROM: nel...@isdg.net MAIL FROM: sbry...@isdg.net MAIL FROM: e...@isdg.net None of these are valid and they were all rejected via SPF and the same for fake HELO/EHLO domains. Now, since we now signing all these three domains, the question is, if they were checked at the DATA level using my DKIM+ADSP/ATPS/ACL setup reject them? Yes, 100%, I don't know if they were faked signers or they used 3rd party signers, or they were signed all, because they were accepted. But a DKIM policy that I have would of 100% rejected them all. This is partly the reason I didn't like Sender-ID because it was a RFC5322 payload technology and SPF did the job at the SMTP level. I had shown that over 82-84% of the time and it would been a waste in DATA overhead. I also feel that is why DKIM is having a hard time - SPF did a lot of damage to its purpose in life. In any case, we are not doing any REJECT/PASS handling based on DKIM yet, but I am going to try turning off SPF for my domains and see if I get the expected 100% would-be rejects based on DKIM and my ADSP policies. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On Thursday, May 26, 2011 07:40:17 PM Murray S. Kucherawy wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of MH Michael Hammer (5304) Sent: Thursday, May 26, 2011 4:15 PM To: Scott Kitterman; ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] MLMs and signatures again The other piece of the equation is how often do I see abusive mail purporting to be from this domain with no signature while mail from this domain that is normally signed has no significant problems. I posted the results of some research on that very question earlier this week: http://mipassoc.org/pipermail/ietf-dkim/2011q2/016656.html My experience is it varies a lot by domain. Some domains are phishing targets and some aren't. If it's not a phishing target DKIM doesn't matter much either way. If it is, then if they can manage to sign all their outbound mail signed/not signed gets to be useful. So I don't think looking at global status is a very useful basis for deciding the question. Scott K ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
-Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Scott Kitterman Sent: Thursday, May 26, 2011 5:36 PM To: ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] MLMs and signatures again My experience is it varies a lot by domain. Some domains are phishing targets and some aren't. If it's not a phishing target DKIM doesn't matter much either way. If it is, then if they can manage to sign all their outbound mail signed/not signed gets to be useful. So I don't think looking at global status is a very useful basis for deciding the question. So you'd rather I run this on some signing domains that aren't obvious phish targets? I can do that. If you have a few you think might be interesting, send me the names; if not, I can see if I can come up with some just based on the numbers. And I can constrain it to a specific reporting site (e.g., my own) instead of all reporters if you think that gives a more interesting view. ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
On Thursday, May 26, 2011 11:00:04 PM Murray S. Kucherawy wrote: -Original Message- From: ietf-dkim-boun...@mipassoc.org [mailto:ietf-dkim-boun...@mipassoc.org] On Behalf Of Scott Kitterman Sent: Thursday, May 26, 2011 5:36 PM To: ietf-dkim@mipassoc.org Subject: Re: [ietf-dkim] MLMs and signatures again My experience is it varies a lot by domain. Some domains are phishing targets and some aren't. If it's not a phishing target DKIM doesn't matter much either way. If it is, then if they can manage to sign all their outbound mail signed/not signed gets to be useful. So I don't think looking at global status is a very useful basis for deciding the question. So you'd rather I run this on some signing domains that aren't obvious phish targets? I can do that. If you have a few you think might be interesting, send me the names; if not, I can see if I can come up with some just based on the numbers. And I can constrain it to a specific reporting site (e.g., my own) instead of all reporters if you think that gives a more interesting view. I was thinking the opposite. Look at phish targets that sign pretty reliably. I'll contact you offlist with some ideas on which. Scott K ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
Re: [ietf-dkim] MLMs and signatures again
Murray S. Kucherawy wrote: Scott Kitterman wrote: My experience is it varies a lot by domain. Some domains are phishing targets and some aren't. If it's not a phishing target DKIM doesn't matter much either way. If it is, then if they can manage to sign all their outbound mail signed/not signed gets to be useful. So I don't think looking at global status is a very useful basis for deciding the question. So you'd rather I run this on some signing domains that aren't obvious phish targets? I can do that. If you have a few you think might be interesting, send me the names; if not, I can see if I can come up with some just based on the numbers. And I can constrain it to a specific reporting site (e.g., my own) instead of all reporters if you think that gives a more interesting view. This sounds like you are missing a point here. But it might help to know a general makeup of the volume collection you have from the standpoint if it was already pre-filtered. I guess you won't readily know that without asking your contributors, but it would be good know what level, if any, filtering was already done. The reason why I ask is because many systems reject mail before it is accepted and this can mask the value of RFC5322 (payload) evaluations. In addition, it quite often very difficult (if not possible) to turn it off just to see how DKIM will work. For your collection analysis, you will need a majority of the system with always accept first operations so that you can get the large spectrum of bad vs good mail. Then you will need a criteria for what is considered bad. Did you see my post where I showed how large the local hosted domain spoofing is a real problem? For our receiver, we have 4 checks at the MAIL FROM: SMTP state: o CLHRP - Check Local Host Return Path o RPF - Operator defined Return Path Filter rules o SPF o CBV - Call Back Verifier For CLHRP, if the domain part is a locally hosted domain, then the user account is checked. It must be a valid user account. For RPF, operators create their own rules, and normally it could be a lightweight SPF-like conditions to help avoid the next SPF DNS based check for local domains: REJECT IF %RPD% = santronics.com AND %IP% !IN 208.247.131.* REJECT IF %RPD% = winserver.com AND %IP% !IN 208.247.131.* REJECT IF %RPD% = isdg.net AND %IP% !IN 208.247.131.* After that SPF is checked and then CBV (which BTW is the highest rejection for us, bad return paths is a real problem). Its not just me, any SPF domain will have the same high benefit of protected against local domain spoofs. So with these MAIL FROM check alone, it can very well hide the exclusive value and benefits of DKIM for unauthorized signers or invalid/no signatures states. BTW, one reason why we have such a high reject is because we were ISP/ESP in the 90's with our PPP and RADIUS servers and got of that business in 1998. We had around 80K Free Domain user accounts and we still get a consistent 60% RCPT rejection of dirty or inactive accounts. It has never let up. I suspect the YAHOO, GOOGLE, AOL, if they are among your collection, they probably reject a lot today at the SMTP level. In the past, many didn't and always accepted first for scalability reasons. But machines are much faster today, software is more dynamic in its checking especially with the terrible accept/bounce problem everyone is trying to avoid with SMTP rejects. I am just saying, it will help to know to some extent what is the make up of the collection you have from a pre-filter standpoint. If most of it is pre-filtered, then extracting the various value of DKIM is masked or lost. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html