On Jan 28, 2009, at 6:41 PM, Suresh Ramasubramanian wrote:
On Thu, Jan 29, 2009 at 8:03 AM, Mark Delany <markd(_at_)yahoo-inc(_dot_)com>
Colo(u)r me dumb/confused/take-your-pick, but is i= effectively the
moral equivalent of IDENT (RFC1413)?
Not that I saw people trying to build a reputation model around
IDENT (thank god?), but yeah .. interesting idea.
Building a reputation model around DKIM creates concerns related to
replay abuse. DKIM's signature time constraint will not mitigate the
replay concern either. When there are problematic accounts, a
reputation service could add a secondary query to mitigate problematic
and non-rate-limited accounts of the larger domains within minutes of
detection. When the number of problematic accounts becomes too large,
rejecting at the initial query may become necessary.
Today, malware, that morphs within 7 hours, is distributed through
exponentially growing botnets where new threats are generated every
few seconds. A signature distribution scheme is unable pace with this
problem. For malware, this is especially true since reversible
signatures can intentionally collide with essential files. Even so,
it would be ill considered to expect a mitigation effort based upon
the DKIM signature can endure the torrent of signatures already being
generated by the spam emitted from these large domains. The numbers
would be daunting to support for just one large domain, without
considering the thousands of such domains.
When a signing domain accurately, even opaquely, indicates the on-
behalf-of entity within the DKIM signature, this dramatically reduces
the size of the problem. Such a reputation model will be expensive,
so it better have a chance to scale to the problem at hand.
NOTE WELL: This list operates according to