ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] My discardable statistics

2010-06-04 16:18:27
Thank you John for taking the time to put that together.  

On Jun 2, 2010, at 9:44 PM, John Levine wrote:

I've been saving the DKIM signatures on mail sent to my inbox for
about the past year, so I did a little analysis on them.  There's a
total of 71,000 signed messages that got to the procmail delivery
filter, signed by a total of 474 domains.  I went through and looked
up the ADSP records for all of them.  I found 51 ADSP records:

24 dkim=all
19 dkim=unknown
8 dkim=discardable

A few had t=s but none of the discardables did.

Let's take a look at those eight records. The number on each line is
the number of messages:

135 paypal.com dkim=discardable
23 paypal.co.uk dkim=discardable
7 intl.paypal.com dkim=discardable
6 mail.julianhaight.com dkim=discardable
4 undp.org dkim=discardable
4 info.paypal.com dkim=discardable
2 info.paypal.ca dkim=discardable
1 info.paypal.co.uk dkim=discardable

Six of them are Paypal, who presumably know what they're doing.

Of the other two, mail.julianhaight.com is Julian's personal domain.
All of the mail from that domain came through a mailing list, which
tells us that he didn't follow the advice in RFC 5617.

It appears that undp.org really is a branch of the United Nations, and
their mail management isn't very good.  All four of those messages
came from the UNDP's mail servers, all four of them had return
addresses that appear to be individual users at undp.org, and all four
of them are spam or phish, presumably from botted PCs.  Two of the
DKIM signatures verify, two don't, haven't looked hard enough to tell
why not, but they were broken when they arrived at my MTA.  (Look at
the spamassassin lines, added at SMTP time.)

They're all in my spam archive, so you can look at them yourself:

http://spample.iecc.com/yjf/21798071
http://spample.iecc.com/yvh/22631217
http://spample.iecc.com/oga/22622255
http://spample.iecc.com/gdx/22039445

Looking at the headers, this mail appears to have taken the same path
that real user mail would have taken, so discardable is wrong here,
too.  Note that even though the mail is spam, the From: line addresses
are in the domain of the sending system, so for ADSP purposes, they're
OK, or would be if the signatures were good.

I admit that this isn't a very big sample, but it does say that of
all the people who sent me mail in the past year, Paypal is the
only one who used ADSP discardable in a way that would would be
useful for inbound mail handling.

R's,
John
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html

<Prev in Thread] Current Thread [Next in Thread>