Re: [Mimedefang] What about DKIM
On 2013-5-22 3:08 , Philip Prindeville wrote: Does everyone implement ADSP? Even though it's apparently been an RFC for 4 years… Seriously, don't go there. Hardly anyone implements ADSP. Certainly none of the big mail receivers, where most big ISPs do support DMARC... Note that you should be careful before using DMARC on your own domain, though. Notably, it breaks mail to mailinglists... it's most effective on domains that are often the victim of phishing. -- Jan-Pieter Cornet Most seasonal greetings are sent by spammers and phishers. signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On Wed, 22 May 2013 15:15:13 +0200 Jan-Pieter Cornet joh...@xs4all.nl wrote: Exactly what is the point behind DMARC? Try talking to an organization that has a serious phishing problem. Therefore, why reinvent the wheel? I'm sure glad someone did, or we would all still be using this: http://www.dreamstime.com/stock-photography-stone-wheel-image5121882 at least it'd give us a solid presence in the streets, nice wheels ! Or in the case of SPF, more likely this: http://thumbs.dreamstime.com/thumblarge_593/1300952810s9s08A.jpg :-) well, after all wasn't SPF an idea from Microsoft, a gang of squares thinking they're geeks... -- 22, Accacia Av. signature.asc Description: PGP signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
From: Renaud Pascal renaud.pas...@atos.net well, after all wasn't SPF an idea from Microsoft, a gang of squares thinking they're geeks... No, that was CallerID, later SenderID. SPF was from Meng Wong at POBOX.com, based on the work of others. The MARID working group tried to merge SenderID with SPF, but that effort failed. SenderID was a bloated mess of XML jammed into DNS TXT records. Sometimes EDNS0 (if it was even available) wouldn't keep it from failing over to TCP for the DNS query. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On Wed, 22 May 2013 15:35:28 +0200 Renaud Pascal renaud.pas...@atos.net wrote: well, after all wasn't SPF an idea from Microsoft, a gang of squares thinking they're geeks... SPF was created by Meng Wong of pobox.com, not by Microsoft. Microsoft had it's own invention called Caller ID for Email that was later merged into Sender ID which is a (IMO) defective bastardization of SPF and Caller ID for Email. DKIM emerged from Yahoo!'s DomainKeys specification and addresses the problem from a completely different viewpoint; instead of specifying machines allowed to relay for a domain, DKIM provides cryptographically-secure evidence that a message passed through a responsible relay. Unlike SPF, DKIM can validate the From: header field. DMARC adds feedback to DKIM/SPF so that domain owners can see if their domain is being abused (for example, in phishing attacks.) Every single one of these protocols has defects that make them completely useless for combatting spam and mostly useless for combatting phishing. Welcome to Internet email. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On May 13, 2013, at 2:15 PM, David F. Skoll d...@roaringpenguin.com wrote: [snip] It's not the same thing. My code would convert: foo\n to foo whereas yours would leave it as foo\n By the way, is the record: $ORIGIN mydomain.tld _domainkey IN TXT o=-; r=postmas...@mydomain.tld or is the ADSP record sufficient? _adsp._domainkeyIN TXT dkim=discardable; Does everyone implement ADSP? Even though it's apparently been an RFC for 4 years… -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On May 9, 2013, at 3:30 PM, David F. Skoll d...@roaringpenguin.com wrote: It is very easy to add. Use the Mail::DKIM::Signer and Mail::DKIM::TextWrap modules from CPAN. This is in our filter and we call it to sign a message from filter_end: Thanks for sharing that. Couple of questions: Is the SHA computed over the header or the entirety of the message? If it's just over the header, then all you'd need is: $dkim-PRINT($entity-head()-as_string()); right? But then if it were just over the header, you could replay the header so there wouldn't be much point to that… If it's over the entirety of the message, then you could do: $dkim-PRINT($entity-as_string()); for the entire serialized message, yes? Also, looking at: chomp; s/\015$//; makes me wonder about this (and I've seen it elsewhere). Why not just do: local $/ = \r\n; chomp; instead? Thanks, -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On Mon, 13 May 2013 14:01:57 -0600 Philip Prindeville philipp_s...@redfish-solutions.com wrote: Couple of questions: Is the SHA computed over the header or the entirety of the message? Entire message. $dkim-PRINT($entity-as_string()); I'm not sure how that would handle SMTP line endings. It's been a while since I wrote the code, so I can't remember if I tried what you just wrote and it didn't work, or if I didn't try it. makes me wonder about this (and I've seen it elsewhere). Why not just do: local $/ = \r\n; chomp; It's not the same thing. My code would convert: foo\n to foo whereas yours would leave it as foo\n Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On Thu, 09 May 2013 21:43:43 -0400 Kevin A. McGrail kmcgr...@pccc.com wrote: Thanks for that info. Out of interest, it doesn't look like you use ADSP. Any reason why or why not? No reason; just never bothered. And I think ADSP has been downgraded to experimental because DMARC is taking over. I'd also love to know more about how you would recommend creating the key and the DNS records because I've often worried about that and Google started bouncing my old 512bit key so I recently disabled that. I didn't do anything special. Just created a 2048-bit keypair and published the record. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On Thu, 9 May 2013 12:14:40 -0600 Philip Prindeville philipp_s...@redfish-solutions.com wrote: And DKIM support for verification is in SpamAssassin, but I'm not seeing any support for signing in MimeDefang. It is very easy to add. Use the Mail::DKIM::Signer and Mail::DKIM::TextWrap modules from CPAN. This is in our filter and we call it to sign a message from filter_end: sub dkim_sign { my $dkim = Mail::DKIM::Signer-new( Algorithm = rsa-sha1, Method = relaxed, Domain = roaringpenguin.com, Selector = main, KeyFile = /etc/ssl/private/roaringpenguin.com.dkim.2048.key); if (open(TOSIGN, INPUTMSG)) { while(TOSIGN) { # remove local line terminators chomp; s/\015$//; # use SMTP line terminators $dkim-PRINT($_\015\012); } close(TOSIGN); $dkim-CLOSE(); my $signature = $dkim-signature()-as_string(); $signature =~ s/^DKIM-Signature:\s+//i; action_add_header('DKIM-Signature', $signature); } } Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On 5/9/2013 5:30 PM, David F. Skoll wrote: KeyFile = /etc/ssl/private/roaringpenguin.com.dkim.2048.key); Thanks for that info. Out of interest, it doesn't look like you use ADSP. Any reason why or why not? I'd also love to know more about how you would recommend creating the key and the DNS records because I've often worried about that and Google started bouncing my old 512bit key so I recently disabled that. Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On Apr 1, 2013, at 4:22 PM, Jan-Pieter Cornet joh...@xs4all.nl wrote: Hey, I like DMARC. I've even implemented DMARC verification in MIMEDefang ;) (the reporting bit is a stand-alone process). Any chance of posting your changes? I'd like to try implementing it outbound… Thanks, -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
--- On Wed, 5/8/13, Philip Prindeville philipp_s...@redfish-solutions.com wrote: On Apr 1, 2013, at 4:22 PM, Jan-Pieter Cornet joh...@xs4all.nl wrote: Hey, I like DMARC. I've even implemented DMARC verification in MIMEDefang ;) (the reporting bit is a stand-alone process). Any chance of posting your changes? I'd like to try implementing it outbound… Exactly what is the point behind DMARC? DKIM already has feedback elements in its declarations. SPF doesn't explicitly have such, but generally the difference between FAIL and SOFTFAIL implies such (the latter as an indication of a DSN request as opposed to SMTP rejection, as well as macro expansion for the exists operator in combination with DNSBL DNS-request logging as suggested in RFC 4408, Section 9). Therefore, why reinvent the wheel? I would be hesitant of any scheme that claims that its predecessors were developed over a decade ago when it is unaware of their histories. SPF didn't come about until 2004 (9 years ago; not published formally as an RFC until 7 years ago), and DKIM was created in 2004 (9 years ago; RFC published in 2007 - 6 years ago). [References from the http://www.dmarc.org/overview.html web page.] Additionally, I would also be hesitant to adopt any scheme backed by an organization (Google / Gmail) who can't even provide the simplist of RFC/Standards compliance for their own mail. Standard 10 (RFC 821) requires that Received: headers which claim SMTP compliance (i.e. have a with SMTP clause) MUST also have a from clause, which Gmail omits; a standards violation. They have been made aware of this in their feedback forums and have refused to fix it. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On Mar 27, 2013, at 11:48 AM, David F. Skoll d...@roaringpenguin.com wrote: On Wed, 27 Mar 2013 12:22:37 -0500 Ben Kamen bka...@benjammin.net wrote: Now that we've see/talked some stats on SPF... I'd be interested to know what anyone might have to offer on DKIM usefulness. DKIM is useful for letting you know that a message has been relayed through a responsible organization's server. I don't think it's very useful as a spam/ham indicator. Plenty of validly-signed mail is spam (think Yahoo!) and some ham ends up with broken DKIM signatures (think broken boilerplate-appending software.) Since when did Yahoo! become a responsible organization? Did I miss that? -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On Wed, 1 May 2013 12:58:56 -0600 Philip Prindeville philipp_s...@redfish-solutions.com wrote: On Mar 27, 2013, at 11:48 AM, David F. Skoll d...@roaringpenguin.com wrote: DKIM is useful for letting you know that a message has been relayed through a responsible organization's server. Since when did Yahoo! become a responsible organization? Did I miss that? I used the term responsible organization in the sense intended by DKIM. That is, Yahoo's servers (and by implication Yahoo! itself) are definitely responsible for a message that has a valid DKIM signature from Yahoo. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On May 1, 2013, at 1:10 PM, David F. Skoll d...@roaringpenguin.com wrote: I used the term responsible organization in the sense intended by DKIM. That is, Yahoo's servers (and by implication Yahoo! itself) are definitely responsible for a message that has a valid DKIM signature from Yahoo. I know, I was just being cheeky. I finally stopped accepting email from Yahoo! because I found their (now defunct) abuse team to be worthless. -Philip ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
Philip Prindeville wrote: I finally stopped accepting email from Yahoo! because I found their (now defunct) abuse team to be worthless. It's still there, still worthless. I recently received an email from an (upstream) ISP as Yahoo! had complained to them that one of our sites was sending out spam. Looking at the message, it turned out to be a bounce from a non-existent address (actually someone who'd left a few months ago) to an email sent from, err, a Yahoo! account - as verified by the headers (passed all their outgoing checks with no problem). Odd that they only seem to notice spam going one way. Regards John ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
--- On Wed, 5/1/13, John Halewood j...@unidec.co.uk wrote: It's still there, still worthless. I recently received an email from an (upstream) ISP as Yahoo! had complained to them that one of our sites was sending out spam. Looking at the message, it turned out to be a bounce from a non-existent address (actually someone who'd left a few months ago) to an email sent from, err, a Yahoo! account - as verified by the headers (passed all their outgoing checks with no problem). Odd that they only seem to notice spam going one way. DKIM doesn't validate the spaminess of the content. Why do you think it does? All it does is to authenticate the source of the message. This way, you know the spammer is who he claimed to be (or not). When properly set up, it will identify forged and tampered messages to you; that's all. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On 2013-3-27 18:48 , David F. Skoll wrote: Now that we've see/talked some stats on SPF... I'd be interested to know what anyone might have to offer on DKIM usefulness. The up-and-coming thing is DMARC, which will probably enjoy good press the way SPF and DKIM did for a few years until it too is found to be not very useful. :) DMARC is intended to close two loopholes: It lets domain owners *specify* what you should do on SPF fail or DKIM fail, and it gives domain owners feedback about failed SPF/DKIM so a domain owner can know that he/she's the victim of spoofing. DMARC falls flat because it does not in any way protect what the user sees as the From field in a mail reader, so phishers can happily spoof mail and still be DMARC-compliant. Hey, I like DMARC. I've even implemented DMARC verification in MIMEDefang ;) (the reporting bit is a stand-alone process). It's useful, because it will deter phishers from abusing a domain (a national dutch bank saw a decrease of 71% of the number of phishing mails spoofing their domain, since enforcing DMARC). However, it's only useful for transactional mails: you cannot use it for domains with ordinary users on it (so: it's for banks or other institutions that send lots of automated mails that are often the targets of phishing). DMARC protects the domain in the From: header. No more, no less. Anyone can still say they're From: secur...@qayqal.com e...@spammer.tld, and most users will see the address between quotes instead of the real address. MUA authors are beginning to wake up to this, just a few days ago I had a friendly chat with someone from an organization that probably has the largest number of installed MUAs out there. Worldwide, already about 60% of all inboxes already apply DMARC verification. Don't write it off just yet ;) The biggest problem for DMARC (and DKIM) is that is breaks on mailinglist mails. Not widely used. Also, Yahoo, who started DK, doesn't even do its ADSP extension coding correctly: ADSP is almost dead, and widely considered dangerous. Nobody in his right mind should be using it anymore. -- Jan-Pieter Cornet Most seasonal greetings are sent by spammers and phishers. signature.asc Description: OpenPGP digital signature ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] What about DKIM
Hey all, Now that we've see/talked some stats on SPF... I'd be interested to know what anyone might have to offer on DKIM usefulness. -Ben -- Ben Kamen - O.D.T., S.P. -- eMail: b...@benjammin.net http://www.benjammin.net Fortune says: A man either lives life as it happens to him, meets it head-on and licks it, or he turns his back on it and starts to wither away. -- Dr. Boyce, The Menagerie (The Cage), stardate unknown - - NOTICE: All legal disclaimers sent to benjammin.net/benkamen.net or any of it's affiliated domains are rendered null and void on receipt of communications and will be handled/considered as such. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
On Wed, 27 Mar 2013 12:22:37 -0500 Ben Kamen bka...@benjammin.net wrote: Now that we've see/talked some stats on SPF... I'd be interested to know what anyone might have to offer on DKIM usefulness. DKIM is useful for letting you know that a message has been relayed through a responsible organization's server. I don't think it's very useful as a spam/ham indicator. Plenty of validly-signed mail is spam (think Yahoo!) and some ham ends up with broken DKIM signatures (think broken boilerplate-appending software.) The up-and-coming thing is DMARC, which will probably enjoy good press the way SPF and DKIM did for a few years until it too is found to be not very useful. :) DMARC is intended to close two loopholes: It lets domain owners *specify* what you should do on SPF fail or DKIM fail, and it gives domain owners feedback about failed SPF/DKIM so a domain owner can know that he/she's the victim of spoofing. DMARC falls flat because it does not in any way protect what the user sees as the From field in a mail reader, so phishers can happily spoof mail and still be DMARC-compliant. http://www.dmarc.org/ Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] What about DKIM
--- On Wed, 3/27/13, Ben Kamen bka...@benjammin.net wrote: Now that we've see/talked some stats on SPF... I'd be interested to know what anyone might have to offer on DKIM usefulness. Not widely used. Also, Yahoo, who started DK, doesn't even do its ADSP extension coding correctly: They have an entry but CNAME it to something that never resolves to a TXT-RR, so it's broken. Some other domains do it correctly, but I see it in perhaps one of 50 transactions at most. It's much harder to set up. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang