[funsec] Shocker: DKIM antispam standard can't stop spam

Dude VanWinkle dudevanwinkle at gmail.com
Fri Jul 13 14:23:45 CDT 2007


On 7/13/07, Valdis.Kletnieks at vt.edu <Valdis.Kletnieks at vt.edu> wrote:
> On Fri, 13 Jul 2007 13:19:11 EDT, Dude VanWinkle said:
>
> > Domain Keys sound like a bad/more complex implementation of the idea
> > behind SPF IMO..
>
> No, SPF claims to answer the question "Is the source IP a valid source for
> domain XYZ?", while Domain Keys answers "Was this mail sourced by an authorized
> mailer for XYZ?"  - which is a subtly different question.  For SPF, you verify
> that a given IP is OK as a source, for Domain Keys you don't care what the
> IP address actually is, you check if it has the right crypto.
>
> Taking it down to a more personal level..
>
> SPF is like saying "It must be valdis posting, because he always posts from
> turing-police.cc.vt.edu".  Domain Keys is like saying "it must be him, because
> it's always PGP-signed with his sig".
>
> The distinction becomes important if turing-police moves around the net (which
> it actually does, as it's a Dell laptop).
>
> Domain Keys is actually more elegant, as it means that you *can* source your
> mail from anywhere that makes sense at the time.  It's however harder to deploy,
> because you then have to worry about key distribution to "anywhere that makes
> sense at the time".
>
> And as others have pointed out - *both* schemes only validate (to some extent)
> that I sent the mail, rather than some guy in <insert spamhaven here> using
> my address sourced through a zombie.  You still need a reputation system of
> some sort to decide if you really want to read what I wrote.. ;)

Well, as long as the proposed spam solutions are optional, and we add
enough of them,.. maybe it will eventually stack up to a pretty
successful solution in the end.

As long as people who care will have the ability to add to the success
of the system ,while it still accomidates those who lack the technical
skills or desire, I am all for it. Even though it will be left up to
the hostmaster of each domain, I think the fiduciary issues related to
spam (bandwidth, storage backing up that storage, lost employee
productivity, having to teach monkeys about quarantining, etc) will
convince most to join in.

Maybe eventually we will have yet another partially successful
validation system based on the number of partially successful methods
are implemented for that particular domain.

-JP<who just blocked consumer grade ASN's and was done with it>


More information about the funsec mailing list