On 4/29/08, J D Falk <jdfalk(_at_)returnpath(_dot_)net> wrote:
JD, thanks. This is very insightful.
OK, let's assume ADSP has no "tree walking" or "subzone inheritance"
feature. A sender is sending legitimate mails with
customercare.bigbank.com with DKIM and an ADSP policy. If a phisher
sends mail with a PRA of customer-care.bigbank.com, that would not be
signed, and it would not fall under any ADSP policy.
In your perfect world, as an imaginary receiver, how would you discern
between the two sets of messages?
That's easy: any string comparison will tell you that
customercare.bigbank.com != customer-care.bigbank.com. So, assuming no
treewalking assumption in my reputation system, they'd each have
entirely separate reputations.
But reputation is never based solely on one tiny bit of information --
I'd also check to see if the domain exists. If it doesn't, that would
very likely result in rejection before even getting to any reputation
algorithm.
So, a potential way to address this without any sort of "tree walking"
functionality would be:
- As a sender, publish ADSP records for all domains/zones/fqdns you know about
- Recommend that receivers reject mail from non-existing FQDNs used in
PRA or MFROM (or somesuch).
This seems workable. Others who prefer treewalking functionality, why
does this not work for you? Where does this specifically fall down?
Thanks,
Al Iverson
--
Al Iverson on Spam and Deliverability, see http://www.spamresource.com
News, stats, info, and commentary on blacklists: http://www.dnsbl.com
My personal website: http://www.aliverson.com -- Chicago, IL, USA
Remove "lists" from my email address to reach me faster and directly.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html