Bye Bye Spam and Phishing with DKIM?

ppadala writes "While research from PEW Internet (PDF) shows that few users really are bothered by spam, IETF is supporting a public key cryptographic based e-mail authentication mechanism called DomainKeys Identified Mail (DKIM) Signatures . The new spec is supposed to help in fighting both spam and fraud. From Ars Technica: 'DKIM's precursor, DomainKeys, was originally developed by Yahoo. The specifications for DKIM were then extended by an informal group of IT organizations that included companies like Yahoo, Cisco, EarthLink, Microsoft, and VeriSign, among others. It was first submitted by the group to the IETF in mid-2005, but only recently published by the IETF. The spec is still to be incorporated into a more formal draft and submitted for approval, however.'"

Prefer SPF

[Anonymous Coward]

Microsoft, despite its involvement in submitting DKIM to the IETF, is still backing Sender ID and recently bragged that it protects over 8 million domains worldwide.

No Microsoft, SPF is protecting 8 million domains. Nobody publishes SenderID records, you are misrepresenting the intent of millions of domain holders to claim otherwise! What's worse is that the whores in the IETF working group were complicit in this misrepresentation and have the audacity to blame the SPF guys.

I was looking into DKIM earlier today, I much prefer to reject at SMTP time on mfrom or helo. I really don't like the IETF after witnessing the arrogant, egotistical WG assholes ignoring technical merit to play politics. I guess I'll probably refuse to implement DKIM if the IETF are to specially 'bless' it. Standards by committee that co-incidentally fund junkets for a cliche of dick-fiddlers on the dollar of a handful of major corps should be avoided on principle.

Re:Prefer SPF

[MightyMartian]

SPF is protecting 8 million domains

I think the proper phrase is "SPF has cluttered up the TXT field of 8 million domain records, most of them with NEUTRAL because no one has the balls to actually let this creature roam the Internet without a heavy chain".

I believed in SPF about three years ago, but it became very clear that it (and Sender ID too) wouldn't do a damn thing, and Domain Keys seems no different.

I am trying DKIM

[wizeman]

DKIM is great except, AFAIK:

1) There's still no way of saying "my domain always signs email with DKIM, so no signature means forged mail". At least I couldn't figure it out.
2) Mailing lists add a footer which messes with the signature.

As a consequence DKIM at the moment is completely useless since even though all my emails are signed, spammers/phishers can simply not put the DKIM signature and DKIM wouldn't know if the email was forged or not.

Furthermore, DKIM is reporting that a lot of valid emails posted to mailing lists (mostly gmail ones) are forged.

If these 2 problems are solved, I think DKIM could be the best way of building a reputation system to stop spam almost completely.

The first problem is easy to solve (just add a new flag to the DKIM DNS record), the second one could be solved by *requiring* the DKIM-verification software to discard everything following the length of the signed body (at the moment it's optional), and by *requiring* to specifiy said length (dkimproxy can't do that, AFAIK).

Re:Prefer SPF

[MightyMartian]

The problem with putting your eggs in a basket is that it you're putting a helluva lot of trust in a system which is nothing more than a good neighbor policy. A lot of guys I know simply put in SPF records that set them to neutral, because they were ISPs who had clients who were sending from various restrictive networks that blocked them (yes I know, switching ports, SMTP auth and all that ought to do the trick, but we're in the real world here). SPF wasn't perfect, and forwarding was a major failure that was only solved by envelope-rewriting.

I adopted SPF on the domains I ran early on too, not because I thought it would do a damn thing, but because I didn't want to get screwed by some anal-retentive at RoadRunner who decided to start blocking everything that didn't come from an SPF-record holding domain.

SPF, SenderID and DomainKeys probably could have a good deal more success if they were more widely adopted, but they still wouldn't stop some of the big sources of spam. Even with that in place, the mail system is still vulnerable. We were getting such a high volume of distributed dictionary attacks at the place I worked at that we literally had to hide our mail server behind some Postfix proxies which did nothing more than reject hundrds of thousands (and some days millions) of individual attacks per day.

Re:Will my ISP Quit Blocking Port 25, Finally?

[killjoe]

Here is what I would like.

If an IP address makes more then X connections to my SMTP port at the same time it gets routed to a teergrube.
If an IP address attempts to send email to Y number of invalid users it gets routed to a teergrube.
If an IP address sends me Z number of spam as marked by spamassassin it gets routed to a teergrube.
If an IP address is on the RBL of my choice it gets routed to a teergrube.

And of course a teergrube which can handle a few hundred simultaneous connections and keep them busy for hours.

If we all had all this then at least we could make a dent in the amount of spam going out.

Users are not bothered by spam?

[Gary W. Longsine]

I find it difficult to believe that most users are not bothered by spam. As far as I can tell, legitimate email use has been falling dramatically for the past couple years, as people flee the effects of spam, switching to SMS and IM (Jabber, AIM, etc.) Email use within a single corporation remains popular, but home users seem to be abandoning email outright. Some people have given up ordinary email and only use locked-down email inside of social network sites. Spam seems to be killing email. If that doesn't bother people, it's only because they fled email for IM, SMS, and Myspace. If spam follows them, and they have nowhere else to run, they're going to become pretty irate.

barking up the wrong tree

[DaMattster]

I think the OpenBSD guys have the best solution to spam bar none. Rather than adding fancy verification, authentication, or filtration layers, they engage in a technique to make the spammers hurt: tar-pitting. Why not force spammers to put up with an SMTP server that is so slow that it causes them to choke. The best solution for fighting spam is not through processor expensive filtration or key decryption process but through a combination of greylisting, greytrapping, and greyscanning. These methods bring about measurable results. This is ingenious. I have set up an OpenBSD spamwall at my father's business. We have gone from several hundred spam messages per day to only 10 per week. In a 24 hour period we were hit with 2000 smtp connection attempts. Of those 1992 of them gave up. The biggest complaint I have recieved was that they were not getting enough spam and there was concern that legitimate email might be lost. Our spam wall has been in service for a month without problems. The system is not perfect, but a drastic reduction is realized. These methods hurt the spammer and if enough people employ them, spam may become a thing of the past. The absolute worst thing that could happen is that a legitimate email might be delayed by 4-6 hours.