funsec mailing list archives
Re: Shocker: DKIM antispam standard can't stop spam
From: Valdis.Kletnieks () vt edu
Date: Fri, 13 Jul 2007 15:55:46 -0400
On Fri, 13 Jul 2007 15:23:45 EDT, Dude VanWinkle said:
As long as people who care will have the ability to add to the success of the system ,while it still accomidates those who lack the technical skills or desire, I am all for it. Even though it will be left up to the hostmaster of each domain, I think the fiduciary issues related to spam (bandwidth, storage backing up that storage, lost employee productivity, having to teach monkeys about quarantining, etc) will convince most to join in.
The problem with most anti-spam "solutions" (including both SPF and DKIM) is that the cost of deployment gets paid by one place, but the benefits reaped by somebody else. So if we deploy SPF, *we* pay that deployment cost (which in our case is non-trivial, as there's a fair number of departmental mail servers and even a few off-campus ones we needed to find and allow for). However, we don't see any direct benefit - the sites that *query* the DNS for our SPF record are the ones who benefit. Similarly, AOL or Yahoo don't benefit by publishing their SPF - *we* do if we choose to check it. (Then there's the cost of deploying code to *check* DKIM, which is particularly heavyweight. SPF and various DNS blocklists, you can decide to '552 Fuck Off' a message before you even see the RCPT TO/DATA (SPF you can 552 after the MAIL FROM, a DNS blocklist you can 552 even at EHLO). For DKIM, you need to actually get into the DATA step and see the headers and then 552 after the final '.'. This becomes significant if you're dealing with several million pieces of e-mail a day.....) This assymetric cost leads to the "chicken and egg" issue that we see often - nobody wants to deploy early because it doesn't get them anything, and nobody benefits until a reasonable fraction deploy.
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 12)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- RE: Shocker: DKIM antispam standard can't stop spam Larry Seltzer (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Nick FitzGerald (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Paul Vixie (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Nick FitzGerald (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam John Payne (Jul 15)
- <Possible follow-ups>
- Re: Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)