funsec mailing list archives
Re: Shocker: DKIM antispam standard can't stop spam
From: Valdis.Kletnieks () vt edu
Date: Fri, 13 Jul 2007 14:16:32 -0400
On Fri, 13 Jul 2007 13:19:11 EDT, Dude VanWinkle said:
Domain Keys sound like a bad/more complex implementation of the idea behind SPF IMO..
No, SPF claims to answer the question "Is the source IP a valid source for domain XYZ?", while Domain Keys answers "Was this mail sourced by an authorized mailer for XYZ?" - which is a subtly different question. For SPF, you verify that a given IP is OK as a source, for Domain Keys you don't care what the IP address actually is, you check if it has the right crypto. Taking it down to a more personal level.. SPF is like saying "It must be valdis posting, because he always posts from turing-police.cc.vt.edu". Domain Keys is like saying "it must be him, because it's always PGP-signed with his sig". The distinction becomes important if turing-police moves around the net (which it actually does, as it's a Dell laptop). Domain Keys is actually more elegant, as it means that you *can* source your mail from anywhere that makes sense at the time. It's however harder to deploy, because you then have to worry about key distribution to "anywhere that makes sense at the time". And as others have pointed out - *both* schemes only validate (to some extent) that I sent the mail, rather than some guy in <insert spamhaven here> using my address sourced through a zombie. You still need a reputation system of some sort to decide if you really want to read what I wrote.. ;)
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 12)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- RE: Shocker: DKIM antispam standard can't stop spam Larry Seltzer (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Nick FitzGerald (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Paul Vixie (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Nick FitzGerald (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam John Payne (Jul 15)
- <Possible follow-ups>
- Re: Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 13)