ietf-dkim
[Top] [All Lists]

Re: [ietf-dkim] 8bit downgrades

2011-05-23 18:15:11
-----Original Message-----
From: ietf-dkim-bounces(_at_)mipassoc(_dot_)org 
[mailto:ietf-dkim-bounces(_at_)mipassoc(_dot_)org] On Behalf Of John R. Levine
Sent: Monday, May 23, 2011 9:35 AM
To: Scott Kitterman
Cc: ietf-dkim(_at_)mipassoc(_dot_)org
Subject: Re: [ietf-dkim] 8bit downgrades

Do you have numbers to show that broken signatures indicate that messages
are malicious, or spam, or otherwise worse than otherwise?

Count of failed signatures compared to spam true/false flag:

+----------+------+
| count(*) | spam |
+----------+------+
|   120257 |    0 |
|    18945 |    1 | (13.6%)
+----------+------+

Doesn't look like there's a valid correlation there to me.

For that matter, since we're not talking about ADSP, what do you mean by
an absent signature?  Do you track which domains sign what mail? How do
you tell what signature you're expecting?  From line domain? Sender?
Message ID? Something in the Received lines?

For domains that have at least once signed their own mail with a signature that 
passed, here's the correlation of message counts from those domains versus 
whether or not the mail is signed (by that same domain) and whether or not 
those messages are spam:

+----------+------+--------+
| count(*) | spam | signed |
+----------+------+--------+
|   230426 |    0 |      0 |
|     9925 |    1 |      0 | (4.1% of unsigned mail from domains that sometimes 
sign)
|  1352623 |    0 |      1 |
|    95962 |    1 |      1 | (6.5% of signed mail from domains that sometimes 
sign)
+----------+------+--------+

What this tells me is: Ignoring ADSP, if a domain sometimes signs its mail, 
then mail from it (signed or not) is usually not spam.  From this I suspect we 
could conclude that a missing signature doesn't tell us much of anything.

Now of course there are some domains that sign nothing but spam.  We could 
narrow this set down by selecting for signing domains that generally don't sign 
spam, but I think all that would do is shrink the "spam" rows (i.e. the second 
and fourth counts) without measurably changing the other two.  We could also 
change "sometimes" to "usually" and see if that matters, but I'm skeptical.


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html