On 19 May 2004, John Levine wrote:
Also, much spam from hijacked PCs seems to use the hijacked
PC's host, as in
wasteofoxygen(_at_)dyn-83-155-31-99(_dot_)ppp(_dot_)tiscali(_dot_)fr
That sort of thing will get around these SPF/YDK approaches, right?
No, a valid DK signature tells you that the message really was signed
by the domain in the From: line. If there's a zombie'd PC at
tiscali.fr, and it sends mail through Tiscali's mail servers using a
tiscali.fr address, and the servers sign it (which, with half decent
volume checks they wouldn't) it'll pass DK checks.
I agree that knowing that mail really came from woifnsdnskensk.com
isn't very useful without a reputation system, but DK at least
validates the actual mail that you see, not the envelope which you
don't.
Unless the spec has changed since last time I read it, there's nothing in
DK to say "mails from this domain are always signed with DomainKeys".
Without that spammy just has to omit the DK header to get his mail
through.
The problem as I see it is that DK is a whitelist system (where SPF is
really a blacklist system). It tells you that the mail is "valid"
according to the signature. Mail without a DK header tells you nothing.
And so once spammers start publishing domainkeys we're pretty much back
to square 1.
Matt.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg