Re: Shocker: DKIM antispam standard can't stop spam

[Valdis.Kletnieks () vt edu]

On Fri, 13 Jul 2007 13:19:11 EDT, Dude VanWinkle said:

> Domain Keys sound like a bad/more complex implementation of the idea
> behind SPF IMO..

No, SPF claims to answer the question "Is the source IP a valid source for
domain XYZ?", while Domain Keys answers "Was this mail sourced by an authorized
mailer for XYZ?"  - which is a subtly different question.  For SPF, you verify
that a given IP is OK as a source, for Domain Keys you don't care what the
IP address actually is, you check if it has the right crypto.

Taking it down to a more personal level..

SPF is like saying "It must be valdis posting, because he always posts from
turing-police.cc.vt.edu".  Domain Keys is like saying "it must be him, because
it's always PGP-signed with his sig".

The distinction becomes important if turing-police moves around the net (which
it actually does, as it's a Dell laptop).

Domain Keys is actually more elegant, as it means that you *can* source your
mail from anywhere that makes sense at the time.  It's however harder to deploy,
because you then have to worry about key distribution to "anywhere that makes
sense at the time".

And as others have pointed out - *both* schemes only validate (to some extent)
that I sent the mail, rather than some guy in <insert spamhaven here> using
my address sourced through a zombie.  You still need a reputation system of
some sort to decide if you really want to read what I wrote.. ;)

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.