Re: Shocker: DKIM antispam standard can't stop spam

[Nick FitzGerald <nick () virus-l demon co uk>]

Valdis.Kletnieks () vt edu wrote:

> It *would* be, if a fraction of the spam we got had vt.edu source addresses.
> But *we* don't filter out very much spam by listing what places can send with
> vt.edu addresses.  *OTHER* places can filter any spam that shows up with
> a 'From: vt.edu' on it.  But publishing vt.edu doesn't do *squat* for our
> filtering spam that has some *OTHER* domain in the From: - we only get *that*
> benefit if the purported source domain publishes *their* info.
>
> To run it by once more - we publish, gmail gets the benefit. Gmail publishes,
> *we* get the benefit. Nobody gets the benefit *themselves* by publishing.

Correct (not that that's surprising from Valdis).

The important bit you omitted though, is that by the time a reasonable 
chunk of the big Internet/Email service providers are publishing such 
information, the "benefit" you allude to will be almost exactly zero.

Early adopters DO see a benefit (along with nasty FP rate spikes if 
trying to use this for filtering/classifying incoming Email) BUT that 
will be quickly eroded once/if adoption rates start to affect the 
spammers' bottom lines.  That is because this "technology" is so 
moronically simple-minded that it can be completely side-stepped with a 
few dozen lines of extra code on the part of today's spam-bot writers.

Anyone pushing such "anti-spam" (or "stepping stone to effective 
reputation services") measures is either grievously ignorant of how 
today's spam works in-the-large, or making a tidy living off shilling 
second-rate anti-spam "solutions" (or both, of course).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.