ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] New canonicalizations

2011-05-18 08:33:17
Murray S. Kucherawy wrote:

Hector wrote:
The collection you have is an aggregate of many sites.  However, in
reality each site will have a different PCN.

Naturally.  And we can select for the data for a specific site if
that's useful.  But in terms of input for developing a standard, 
even you must agree that an aggregate view is at least as important 
as a local one.

Of course.

But since you asked, selecting only for my own server, there are 
11 domains in the top relaxed/relaxed senders list before we hit 
the first obvious spammer.  Those are responsible for 7301 
relaxed/relaxed messages out of the 16581 total that server has seen, 
or 44%.  And there are lots of obviously legitimate senders below that, 
but I wanted to keep this report simple.  Even so, it still doesn't 
concur with the apparent extremeness of your data, nor do I understand 
why this is an interesting statistic.

I agree with the OP, the data implies the selection of relaxed was 
done with forethought. After all, it is not the default.

One poster stated it might be lack of understanding or just the 
appearance it is better or that the knob is too easy to set.

I stated one SWAG (Scientific Wide Ass Guess), based on what my PCN 
(Personal Community Network) samplings are showing - private domains 
tend to use the stronger C14N, spammers tend to use relaxed C14N.

That is not a generalization for everyone, although I do personally 
believe its logical and probably representative of most systems with 
the idea spammers are broadcasting their messages to more than one 
receiver. i.e. I would expect all receivers to see the same data 
results from mail sent by Long Horn Steak House, Red Lobster, Olive 
Garden food coupon spammers (same organization, different domains).

Finally, it isn't really that extreme from your 44%; in my PCN, 64% of 
the domains use relaxed/relaxed.   Thats two PCN's - average 54%.  But 
your aggregate data shown in an early post, moves it higher; 81% 
domains using body relaxed), 89% domains using header relaxed. Could 
not see data for the relaxed/relaxed set but I will venture that group 
is lower.

Interesting?

I can only see two things worth noting:

   - People are very conscious of deviating from the default,
   - Observation that most spammers use the relaxed C14N
     integrity signing.

also from your aggregate data:

   - failure/passage rate is nearly the same for simple vs relaxed.

Does it mean anything?

Well, it depends on one's perspective.

Does it change anything?

Probably not. The OP was probably making an indirect suggestion to 
consider other C14Ns.  But I don't known if that was the intent with 
the subject "New canonicalizations."

-- 
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html