There's a lot more information available about domain names than about IP
addresses,
I disagree.
e.g. via whois, via the domain's NS records, etc. This
information can be used to bootstrap a reputation in a way that defends
against the use of throwaway domains by spammers.
For through-away domains whois data is not reliable (and that just like
with email there is no protection against using somebody else's address)
and ns servers could simply be default ones provided by domain registrar.
OR often point to compromised machine (zombie, hacked server, compromised
dns service, etc) and with changes introduced by Verisign this year they
can now be quickly (within 15 minutes) changed whenever the compromised
machine is discovered and filtered (which is exactly what happens to
phish email used domains I've investigated).
Not sure how this follows. Just because some information associated with
domains are not 100% reliable doesn't mean that there is less information.
The fact that a domain's NS record points to a zombie IP is information very
useful information at that. IP addresses do not have perfectly realible
associated information either (rDNS, throwaway IPs, compromised machines,
misconfigured proxies, multipurpose smtp machines, etc), but this doesn't
make IPs worthless. Savvy anti-high volume email deployers will use any
information they can to make a better decision -- including the lack of
information.
miles
_______________________________________________
ietf-dkim mailing list
http://dkim.org