spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Attacking Domain Keys

2004-11-29 14:47:46
from [Seth Goodman] [Permanent Link] 
From: Hallam-Baker, Phillip
Sent: Monday, November 29, 2004 2:43 PM



I don't need to read sendmail's data.  We have our own implementation
and we do not see a two-fold slow down based on the size of the
message.


The conclusion that Sendmail came to was that the cost was insignificant.
Very very few outgoing mail servers are cpu bound on sending mail. If you
are cpu bound on incomming email then you can always delay
verification and do it offline as CPU cycles permit.


Look at their data, not their conclusion, which does not agree with their
own data.  For short messages, there was a two-fold slowdown which is
directly attributable to the MTA being CPU bound.  Spam is mostly small
messages, as you well know.  Their blended size data has little to do with
what an MTA with an ever-growing spam load of short messages is going to
see.

Most of the load is incoming, not outgoing, and you can't do verification
off-line and still reject during the SMTP session.  That is exactly the
direction we don't want anyone to go.




The fact is that DK is being pushed by Yahoo and they have one of the
biggest mail servers on the planet. If they can do it then it is
practical.  Microsoft and AOL (operators of the other big three
systems) appear to agree.


Pardon my intrusion on this fantasy, but not everything Yahoo or Microsoft
does is sensible or intelligent.  They also have very large budgets and
there are political factors that can outweigh the technical ones.  It's not
that it can't be done.  The question is, given better alternatives, why
should it be done?





The fact is that we are going to need BOTH SPF and DK to address all the
email authentication requirements that are out there. For messaging
convenience I try to encourage people to push SPF as an anti-spam solution
and DK in the anti-phishing area but we will actually need both in both
problems.


If you only do SPF, you do need something for 2822 authentication.  However,
SES includes both 2821 and 2822 authentication and is significantly lighter
weight than DK.  So it is _not_ a fact that you have to do both SPF and DK.
You can do SPF+SES or SES by itself.

--

Seth Goodman
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Attacking Domain Keys, Seth Goodman
Next by Date:  Sourceforge SPF problems, Stuart D. Gathman
Previous by Thread:  RE: Attacking Domain Keys, Hallam-Baker, Phillip
Next by Thread:  RE: Attacking Domain Keys, Stephen Pollei
Indexes:  [Date] [Thread] [Top] [All Lists]