Bye Bye Spam and Phishing with DKIM? 134
ppadala writes "While research from PEW Internet (PDF) shows that few users really are bothered by spam, IETF is supporting a public key cryptographic based e-mail authentication mechanism called DomainKeys Identified Mail (DKIM) Signatures . The new spec is supposed to help in fighting both spam and fraud. From Ars Technica: 'DKIM's precursor, DomainKeys, was originally developed by Yahoo. The specifications for DKIM were then extended by an informal group of IT organizations that included companies like Yahoo, Cisco, EarthLink, Microsoft, and VeriSign, among others. It was first submitted by the group to the IETF in mid-2005, but only recently published by the IETF. The spec is still to be incorporated into a more formal draft and submitted for approval, however.'"
Prefer SPF (Score:2, Interesting)
No Microsoft, SPF is protecting 8 million domains. Nobody publishes SenderID records, you are misrepresenting the intent of millions of domain holders to claim otherwise! What's worse is that the whores in the IETF working group were complicit in this misrepresentation and have the audacity to blame the SPF guys.
I was looking into DKIM earlier today, I much prefer to reject at SMTP time on mfrom or helo. I really don't like the IETF after witnessing the arrogant, egotistical WG assholes ignoring technical merit to play politics. I guess I'll probably refuse to implement DKIM if the IETF are to specially 'bless' it. Standards by committee that co-incidentally fund junkets for a cliche of dick-fiddlers on the dollar of a handful of major corps should be avoided on principle.
Re:Prefer SPF (Score:4, Interesting)
I believed in SPF about three years ago, but it became very clear that it (and Sender ID too) wouldn't do a damn thing, and Domain Keys seems no different.
I am trying DKIM (Score:2, Interesting)
1) There's still no way of saying "my domain always signs email with DKIM, so no signature means forged mail". At least I couldn't figure it out.
2) Mailing lists add a footer which messes with the signature.
As a consequence DKIM at the moment is completely useless since even though all my emails are signed, spammers/phishers can simply not put the DKIM signature and DKIM wouldn't know if the email was forged or not.
Furthermore, DKIM is reporting that a lot of valid emails posted to mailing lists (mostly gmail ones) are forged.
If these 2 problems are solved, I think DKIM could be the best way of building a reputation system to stop spam almost completely.
The first problem is easy to solve (just add a new flag to the DKIM DNS record), the second one could be solved by *requiring* the DKIM-verification software to discard everything following the length of the signed body (at the moment it's optional), and by *requiring* to specifiy said length (dkimproxy can't do that, AFAIK).
Re:Prefer SPF (Score:4, Interesting)
I adopted SPF on the domains I ran early on too, not because I thought it would do a damn thing, but because I didn't want to get screwed by some anal-retentive at RoadRunner who decided to start blocking everything that didn't come from an SPF-record holding domain.
SPF, SenderID and DomainKeys probably could have a good deal more success if they were more widely adopted, but they still wouldn't stop some of the big sources of spam. Even with that in place, the mail system is still vulnerable. We were getting such a high volume of distributed dictionary attacks at the place I worked at that we literally had to hide our mail server behind some Postfix proxies which did nothing more than reject hundrds of thousands (and some days millions) of individual attacks per day.
Re:Will my ISP Quit Blocking Port 25, Finally? (Score:4, Interesting)
If an IP address makes more then X connections to my SMTP port at the same time it gets routed to a teergrube.
If an IP address attempts to send email to Y number of invalid users it gets routed to a teergrube.
If an IP address sends me Z number of spam as marked by spamassassin it gets routed to a teergrube.
If an IP address is on the RBL of my choice it gets routed to a teergrube.
And of course a teergrube which can handle a few hundred simultaneous connections and keep them busy for hours.
If we all had all this then at least we could make a dent in the amount of spam going out.
Users are not bothered by spam? (Score:5, Interesting)
barking up the wrong tree (Score:3, Interesting)