ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] New canonicalizations

2011-05-17 14:05:53
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of Hector Santos
Sent: Tuesday, May 17, 2011 9:39 AM
To: Michael Thomas
Cc: dcrocker(_at_)bbiw(_dot_)net; ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] New canonicalizations

Michael Thomas wrote:
On 05/16/2011 09:39 AM, Dave CROCKER wrote:

My guess is that admins just don't understand any of the subtleties,
have heard lore that "relaxed" is "better" and just click "relaxed"
wherever they find it. It may also be the case that some implementations
don't even have separate nerd knobs for headers and body canonicalization.

Based on what I see, one SWAG is that the "good" intention people are
using the defaults or relaxed/simple,  and spammers tend to use
relaxed/relaxed as the reduced restraint.   By far, in my samplings,
the largest group are spammers using relaxed/relaxed.

According to what we have, the biggest users of "relaxed/relaxed" are the large 
mailbox providers like Gmail and Yahoo and other legitimate senders, not 
spammers.  The top 20, for example:

+----------------------------------+----------+
| name                             | count(*) |
+----------------------------------+----------+
| gmail.com                        |   421745 |
| yahoo.com                        |   313109 |
| facebookmail.com                 |   233441 |
| yahoogroups.com                  |   104523 |
| auth.ccsend.com                  |    90195 |
| linkedin.com                     |    74710 |
| google.com                       |    59049 |
| reply.newsmax.com                |    53286 |
| ATT.NET                          |    43602 |
| sbcglobal.net                    |    36534 |
| googlegroups.com                 |    34359 |
| e.groupon.com                    |    30350 |
| paypal.com                       |    24568 |
| f74d39fa044aa309eaea14b9f57fe79c |    21019 |
| emailinfo.bestbuy.com            |    17067 |
| ebay.com                         |    16192 |
| 636ae4d78ec2b46248fc59ac1ad737df |    14580 |
| expediamail.com                  |    13058 |
| bellsouth.net                    |    12431 |
| googlemail.com                   |    12426 |
+----------------------------------+----------+

Total relaxed/relaxed signatures received = 3444978; total above = 1626244 (47%)

In fact, the first domain name that (statistically) looked likely to be a 
spammer is way down on the list, around #106 (out of 63314), and everything 
before that accounted for 58% of total signatures.  So, our data don't agree 
with the claim, and certainly not with "by far".

But I don't understand why this is a useful line of analysis.  If spammers are 
using relaxed/relaxed, they merely have the same concern as a legitimate 
sender, namely signature survivability.  This shouldn't be a surprise.  I hope 
we're not talking about the idea of filtering based on which canonicalization 
is in use, which is almost certainly a bad idea.

-MSK

_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html