-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of John R. Levine
Sent: Monday, May 23, 2011 9:35 AM
To: Scott Kitterman
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] 8bit downgrades
Do you have numbers to show that broken signatures indicate that messages
are malicious, or spam, or otherwise worse than otherwise?
Count of failed signatures compared to spam true/false flag:
+----------+------+
| count(*) | spam |
+----------+------+
| 120257 | 0 |
| 18945 | 1 | (13.6%)
+----------+------+
Doesn't look like there's a valid correlation there to me.
For that matter, since we're not talking about ADSP, what do you mean by
an absent signature? Do you track which domains sign what mail? How do
you tell what signature you're expecting? From line domain? Sender?
Message ID? Something in the Received lines?
For domains that have at least once signed their own mail with a signature that
passed, here's the correlation of message counts from those domains versus
whether or not the mail is signed (by that same domain) and whether or not
those messages are spam:
+----------+------+--------+
| count(*) | spam | signed |
+----------+------+--------+
| 230426 | 0 | 0 |
| 9925 | 1 | 0 | (4.1% of unsigned mail from domains that sometimes
sign)
| 1352623 | 0 | 1 |
| 95962 | 1 | 1 | (6.5% of signed mail from domains that sometimes
sign)
+----------+------+--------+
What this tells me is: Ignoring ADSP, if a domain sometimes signs its mail,
then mail from it (signed or not) is usually not spam. From this I suspect we
could conclude that a missing signature doesn't tell us much of anything.
Now of course there are some domains that sign nothing but spam. We could
narrow this set down by selecting for signing domains that generally don't sign
spam, but I think all that would do is shrink the "spam" rows (i.e. the second
and fourth counts) without measurably changing the other two. We could also
change "sometimes" to "usually" and see if that matters, but I'm skeptical.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html