funsec mailing list archives
Re: Shocker: DKIM antispam standard can't stop spam
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Fri, 13 Jul 2007 15:23:45 -0400
On 7/13/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Fri, 13 Jul 2007 13:19:11 EDT, Dude VanWinkle said: > Domain Keys sound like a bad/more complex implementation of the idea > behind SPF IMO.. No, SPF claims to answer the question "Is the source IP a valid source for domain XYZ?", while Domain Keys answers "Was this mail sourced by an authorized mailer for XYZ?" - which is a subtly different question. For SPF, you verify that a given IP is OK as a source, for Domain Keys you don't care what the IP address actually is, you check if it has the right crypto. Taking it down to a more personal level.. SPF is like saying "It must be valdis posting, because he always posts from turing-police.cc.vt.edu". Domain Keys is like saying "it must be him, because it's always PGP-signed with his sig". The distinction becomes important if turing-police moves around the net (which it actually does, as it's a Dell laptop). Domain Keys is actually more elegant, as it means that you *can* source your mail from anywhere that makes sense at the time. It's however harder to deploy, because you then have to worry about key distribution to "anywhere that makes sense at the time". And as others have pointed out - *both* schemes only validate (to some extent) that I sent the mail, rather than some guy in <insert spamhaven here> using my address sourced through a zombie. You still need a reputation system of some sort to decide if you really want to read what I wrote.. ;)
Well, as long as the proposed spam solutions are optional, and we add enough of them,.. maybe it will eventually stack up to a pretty successful solution in the end. As long as people who care will have the ability to add to the success of the system ,while it still accomidates those who lack the technical skills or desire, I am all for it. Even though it will be left up to the hostmaster of each domain, I think the fiduciary issues related to spam (bandwidth, storage backing up that storage, lost employee productivity, having to teach monkeys about quarantining, etc) will convince most to join in. Maybe eventually we will have yet another partially successful validation system based on the number of partially successful methods are implemented for that particular domain. -JP<who just blocked consumer grade ASN's and was done with it> _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 12)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- RE: Shocker: DKIM antispam standard can't stop spam Larry Seltzer (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Nick FitzGerald (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Paul Vixie (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Nick FitzGerald (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam John Payne (Jul 15)
- <Possible follow-ups>
- Re: Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 13)