funsec mailing list archives

Re: Shocker: DKIM antispam standard can't stop spam

From: Valdis.Kletnieks () vt edu
Date: Fri, 13 Jul 2007 15:55:46 -0400

On Fri, 13 Jul 2007 15:23:45 EDT, Dude VanWinkle said:

As long as people who care will have the ability to add to the success
of the system ,while it still accomidates those who lack the technical
skills or desire, I am all for it. Even though it will be left up to
the hostmaster of each domain, I think the fiduciary issues related to
spam (bandwidth, storage backing up that storage, lost employee
productivity, having to teach monkeys about quarantining, etc) will
convince most to join in.


The problem with most anti-spam "solutions" (including both SPF and DKIM) is
that the cost of deployment gets paid by one place, but the benefits reaped by
somebody else.  So if we deploy SPF, *we* pay that deployment cost (which in
our case is non-trivial, as there's a fair number of departmental mail servers
and even a few off-campus ones we needed to find and allow for).  However,
we don't see any direct benefit - the sites that *query* the DNS for our SPF
record are the ones who benefit.  Similarly, AOL or Yahoo don't benefit by
publishing their SPF - *we* do if we choose to check it.

(Then there's the cost of deploying code to *check* DKIM, which is particularly
heavyweight.  SPF and various DNS blocklists, you can decide to '552 Fuck Off'
a message before you even see the RCPT TO/DATA (SPF you can 552 after the
MAIL FROM, a DNS blocklist you can 552 even at EHLO).  For DKIM, you need
to actually get into the DATA step and see the headers and then 552 after the
final '.'.  This becomes significant if you're dealing with several million
pieces of e-mail a day.....)

This assymetric cost leads to the "chicken and egg" issue that we see often -
nobody wants to deploy early because it doesn't get them anything, and nobody
benefits until a reasonable fraction deploy.

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 12)
- Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
  - RE: Shocker: DKIM antispam standard can't stop spam Larry Seltzer (Jul 13)
  - Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
    - Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
    - Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
    - Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)
    - Re: Shocker: DKIM antispam standard can't stop spam Valdis . Kletnieks (Jul 13)
    - Re: Shocker: DKIM antispam standard can't stop spam Nick FitzGerald (Jul 13)
    - Re: Shocker: DKIM antispam standard can't stop spam Paul Vixie (Jul 13)
  - Re: Shocker: DKIM antispam standard can't stop spam John Payne (Jul 13)
    - Re: Shocker: DKIM antispam standard can't stop spam Nick FitzGerald (Jul 13)
    - Re: Shocker: DKIM antispam standard can't stop spam John Payne (Jul 15)
- <Possible follow-ups>
- Re: Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 13)
- Re: Shocker: DKIM antispam standard can't stop spam Paul Ferguson (Jul 13)
  - Re: Shocker: DKIM antispam standard can't stop spam Dude VanWinkle (Jul 13)

(Thread continues...)