DKIM signatures with DCC

Vernon Schryver vjs@calcite.rhyolite.com
Tue Oct 27 22:21:03 UTC 2009


> From: Gary Mills <mills@cc.umanitoba.ca>
> To: Vernon Schryver <vjs@calcite.rhyolite.com>
> Cc: dcc@calcite.rhyolite.com, ophidian@newsnation.com

> > Reputations are not fungible or even transitive.  Real reputations are
> > individual, and that implies that each user must decide which senders
> > (and so DKIM or other headers) are sending solicited or tolerated bulk
> > email.
>
> If the sender works for a bank, for example, they are subject to the
> bank's policies on e-mail.  Employees of an organization are less
> likely to send spam than are customers of an organization, for example.
> Companies can fire employees, but they don't want to alienate their
> paying customers.

I fear the definition of "spam" there is not any and all unsolicited
bulk email, but the self-serving nonsense of lawful opt-out email
advertisers as fraud and other illegal junk but excluding lawful
unsolicited bulk email advertising.  My personal experience with
very large banks and credit card companies is that they use exactly
the same ESPs to send junk email I explicitly don't want as to send
"security alerts" and similar that I probably should want.  There's
nothing forged about junk advertising email that you've explicitly
declined from your bank or stock broker.  That makes using DKIM or
anything else to prevent forgery ineffective.

Concerning the general value of DKIM:
  - Spam from Google that has DKIM signatures, like the wanted email as 
     well as the spam from my big bank and credit card company.
  - Should I spend the time and effort to make this mailing list DKIM
     signed, or would my time be better spent putting DNSSEC signatures
     on rhyolite.com and dcc-servers.net using the ISC DLV registry?
     (I've spent the few minutes needed to sign the zones, but haven't
     mustered the ambition to sign up at https://dlv.isc.org/ )
  - Are any of the ~830 mailing lists at umanitoba.ca found with an
     obvious search DKIM signed?  What about other mail from
     cc.umanitoba.ca?  Or would your time be better spent getting
     DNSSEC going on umanitoba.ca?


> Yes, it seems that e-mail senders are willing to pay to improve the
> `deliverability' of their e-mail.  Here's an example, taken from
> a recent e-mail marketing message:
>
>     http://www.isipp.com/iadb.php

The reports on "Secrets to Email that Gets Opened & Read" and "How
Engagement Metrics Influence Deliverability" on http://habeas.com/
are more ironically relevant to reputations and DKIM.  Didn't Habeas'
second or third business plan involve selling some sort of whitelist
service to spam targets?



} From: Gary Mills <mills@cc.umanitoba.ca>
} To: Earl Killian <earl@killian.com>

} On Mon, Oct 26, 2009 at 08:44:23PM -0700, Earl Killian wrote:
} > What about using DNSWL on the IP address? They have none, low, med,  
} > high trustworthiness levels.

Would people consider it worthwhile for the DCC client programs,
dccm, dccifd, and dccproc, to honor DNS whitelists?  I'm not a fan
of http://www.dnswl.org/ or the general idea, but that doesn't mean
the code shouldn't support it if it would be used.


} We do subscribe to Spamhaus' DNS-based blocklist.  They are
} invaluable, and integrate nicely with DCC.  Most of our rejections
} are based on their ZEN database now.  However, nothing compares
} with cryptographic signatures like DKIM.  These prevent forgeries.
} That's why we would like to make increased use of DKIM.

A DNS blacklist (DNSBL) is as much a reputation system as any other.
The IP addresses in most DNSBLs are as practically unforgable as DKIM
signatures.  The problems with DNSBLs are that they list bad guys instead
of good guys and IP addresses are a little (but not a lot) more subject
to change than domain names.


> From: "John R. Levine" <johnl@iecc.com>

> > At my organization, people complain about receiving spam.  They want
> > me to stop it.  I wonder if they are also willing to pay.
>
> Of course not.  The essence of Internet Economics is to foist your costs
> off on someone else.  That's why we have spam in the first place.

including the individual personal costs of time and effort to
maintain private white- and blacklists.

You could build a local DNSBL that covers all of the Internet except
University of Manitoba IP addresses.  Then you could let people who
complain about spam turn it on in their individual DCC whiteclnt
files and add whitelist entries to those same whiteclnt files with
something like the proof of concept cgi scripts.


> People are building them, but I doubt you'll find many being given away
> for free.

as demonstrated by Spamhau' prices for their reputation databases
including ZEN.  Or DCC Reputations.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.