spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-12 11:22:13
from [David MacQuigg] [Permanent Link] 
Ian Eiloart wrote:


Then what's the advantge over SPF?
The advantage is that it permits trusted traditional forwarding. Which is what's missing with SPF.
The thing is, that there are various routes by which mail may be delivered. SPF protects some, but not others. DKIM protects others, but not some.
What we need is a collection of sender techniques, and a collection of recipient checks, which collectively allow the recipient to apply reputation scores for every incoming message - except the spam, of course. 

SPF neatly protects all messages except traditional forwarding.
DKIM with ADSP neatly protects all messages except mailing list messages.
If SPF and DKIM/ADSP were universally deployed, recipients would have something they could assign reputation to for every message:
If you see an SPF pass, then assign reputation by SPF. Lists that don't check inbound mail won't get great reputation. If there's also a DKIM signature, you can also check that content hasn't been munged, but watch out for list-id headers.
The headers aren't the problem. It's the last few lines added to the body by the mailing list. Header checking is done only on the few headers named in the "h=" tag.
If SPF fails, then look for a DKIM signature. If you get a good one, you're likely seeing traditional forwarding.
Or forwarding by a crook. What prevents a spammer from sending a billion ads for Viagra, all with a valid DKIM signature from a reputable domain? All it takes is one signed message. The rest can be copies, "forwarded" via a botnet.
The fundamental advantage of signature-based authentication (arbitrary forwarding) is a fundamental disadvantage when the forwarder is a crook. Signatures protect only that which is signed, i.e. the body and a few specifically selected headers. There is *no other assurance* in a signature. Show that Viagra ad to the original signer, and he will say "Yup, that's our signature. We sign 500,000 messages per day. We have per-account rate limits. We even run spam filters on new accounts. What else do you expect us to do? " 

--
************************************************************     *
* David MacQuigg, PhD    email: macquigg at ece.arizona.edu   *  *
* Research Associate                phone: USA 520-721-4583   *  *  *
* ECE Department, University of Arizona                       *  *  *
*                                 9320 East Mikelyn Lane       * * *
* http://purl.net/macquigg        Tucson, Arizona 85710          *
************************************************************     *



-------------------------------------------
Sender Policy Framework: http://www.openspf.org
Modify Your Subscription: http://www.listbox.com/member/
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Next by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Scott Kitterman
Previous by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Next by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Alessandro Vesely
Indexes:  [Date] [Thread] [Top] [All Lists]