ietf-mailsig
[Top] [All Lists]

Re: [ietf-dkim] Not exactly not a threat analysis

2005-08-17 15:55:38

On Wed, 17 Aug 2005, Tony Finch wrote:

There's a lot more information available about domain names than about IP
addresses,

I disagree.

e.g. via whois, via the domain's NS records, etc. This
information can be used to bootstrap a reputation in a way that defends
against the use of throwaway domains by spammers.

For through-away domains whois data is not reliable (and that just like with email there is no protection against using somebody else's address) and ns servers could simply be default ones provided by domain registrar. OR often point to compromised machine (zombie, hacked server, compromised dns service, etc) and with changes introduced by Verisign this year they can now be quickly (within 15 minutes) changed whenever the compromised
machine is discovered and filtered (which is exactly what happens to
phish email used domains I've investigated).

In the end the most reliable way to detect and filter these domains is actually based on ip address of the the server hosting the website for the advertised and used domain (for order taking). So I'm not at all certain that doing reputation on per-domain basis will be easy (in fact
I think it would be more difficult then on per-ip).

The good thing is that for non-through away domains (those that have
been used for a while) the reputation can be accumulated overtime and
can be quite useful but it will take quite some time (years) before we're able to get to the point that this is possible (i.e. relying primarily on positive reputation score).

So, while email signatures are good thing and if properly implemented can defend against spoofing and increase email security and reliability, claiming that this will allow us to stop spam (either directly or indirectly putting all hope on accreditation/reputation) are incorrect.

I also disagree that there is some-kind of big pressure to get this out
ASAP (and so we should disregard normal IETF protocol/extension design
procedures) because this will be the only thing that will help us save email. That is just wrong and "antispam marketing pressure" is no excuse to introduce system that can do more harm to the network then good or
that can be of use only for limited audience.

In the end I think the way to save email would requiring looking at the entire protocol in more comprehensive way than what is being done by any one effort and to put marketing and corporate interest aside for greater good when doing it, but from what I have seen so far that is unlikely to happen for SMTP protocol and it may turn out to be easier to just design new messaging system (although it would be harder and take more time if comparing actual design work needed to finish it off and introduce it).

---
William Leibzon
Elan Networks
william(_at_)elan(_dot_)net
_______________________________________________
ietf-dkim mailing list
http://dkim.org

<Prev in Thread] Current Thread [Next in Thread>