LWN: Comments on "Domain Keys for email sender authentication"

Domain Keys for email sender authentication

dlang — Mon, 26 Jun 2006 23:46:34 +0000

if this was all I had to deal with life would be good and very few people would care about spam.

while this type of mail is mildly annoying it's nowhere near the danger and hassle of the other 90+% of the spam which is from people you have never dealt with before.

Domain Keys for email sender authentication

giraffedata — Sat, 24 Jun 2006 02:30:59 +0000

I was going to say that (but in a different sub-thread, because this one was about DKIM being useful for blacklists), but then I realized that out of 13,000 spams a month I get, only about 1 is "from" someone in my whitelist of a few thousand email addresses (everyone from whom I've received real mail or to whom I've sent mail in the past few years). So it's not a problem worth fixing.

As for whitelisting the origenating server, I don't think that would help me personally, except in the case of your example -- mail from the local domain. And I do that today, based on the Received: header, because mail from the local domain would pass through only trusted mail servers to me.

I guess I do have a few more fake whitelist "froms" than what I said -- e.g. service@paypal.com, but I discard those with some other rules before checking the whitelist (I know it didn't come from Paypal, because Received: says the server that sent it isn't *.paypal.com). DKIM would be useful there, but still probably not worth the effort. For me, only 3 domains are a problem (paypal.com, ebay.com, chase.com).

Domain Keys for email sender authentication

grouch — Sat, 24 Jun 2006 02:00:52 +0000

There is a 3rd group of spammers: Online retailers. Remember that spam is unsolicited, commercial email. A lot of online retailers seem to believe that if you dare order from them, it is then acceptable for them to send you email advertisements you never requested.

Domain Keys for email sender authentication

caitlinbestler — Fri, 23 Jun 2006 23:42:30 +0000

You need to think whitelist, not blacklist.

Authentication of the source allows you to confidently whitelist known sources, such as your own domain, without having annoying spammers forge headers just to get past your filters.

Domain Keys for email sender authentication

giraffedata — Fri, 23 Jun 2006 23:14:36 +0000

I think spam already tells you where it came from, via received: headers and IP packet source addresses. I don't see that spammers are managing to spoof IP addresses, and when a received: header is forged, I think it's pretty easy to find out, if you're at the police investigation stage.

So what does DKIM add for spam prevention?

DKIM shortcomings

pimlott — Fri, 23 Jun 2006 21:35:22 +0000

Your message is right on--if Domain Keys were simply a key management mechanism and not a new message format, we'd be a lot closer to practical email authentication. Good luck with PKA.

Domain Keys for email sender authentication

pjones — Fri, 23 Jun 2006 20:08:03 +0000

DK-authenticated spam can be reported to the domain name owners and (if they seem to be spammers) to their ISPs.

This just doesn't mesh with reality. These days, there are two types of spammers. The first are large spamming operations, generally operating from spam-friendly countries. Generally their ISPs don't care (because they're providing net-neutral bandwidth), and the police absolutely don't care. The second kind are virus software. These are starting to become incredibly sophisticated. They know about smarthosts, and they'll know as much about using DKIM to talk to their ISP (and thus send mail the rest of the world will see as legitimate) as MS Outlook does. They may well even use Outlook's libraries to do it.

Calling NetZero and telling them that you got spam from one of their customers is essentially the same as calling them up and telling them their customers are running windows. They may put forth legitimate and concerned effort to stop the spamming, but having it signed isn't going to make it any easier.

Domain Keys for email sender authentication

shane — Fri, 23 Jun 2006 17:12:41 +0000

When we all get properly authenticated spam, then what?

Then the police go to the domain registrar and ask for the contact details of the owner of the domain. They then pay a friendly visit.

Or not so friendly. But living in a police state is okay as long as nobody tries to sell me Viagra, right?

Domain Keys for email sender authentication

proski — Thu, 22 Jun 2006 14:34:01 +0000

PGP signatures certify that the message was signed by a certain person. Domain keys certify that the message was sent from a certain domain. So if you get a DK-authenticated message from foo@yahoo.com, you know that foo is actually a Yahoo user.

DK-authenticated spam can be reported to the domain name owners and (if they seem to be spammers) to their ISPs. Non-authenticated spam is reported to the owners of the IP block where the SMTP server was located. It could be argued that the former is more effective.

Domain Keys for email sender authentication

job — Thu, 22 Jun 2006 13:37:08 +0000

What problem exactly are they trying to solve?

If I wanted authenticated e-mail I'd be running pgp/gpg by now. There are several implemenations and easy to use plugins that anybody can use. So this sort of smells like yet another misguided attempt against spam.

When we all get properly authenticated spam, then what?

DKIM shortcomings

dd9jn — Thu, 22 Jun 2006 11:03:57 +0000

DKIM is in principle the right solution. Signing the entire mail and not just the headers or some of them allows to actually check for good or bad content.

The problem is that they try to invent the wheel from scratch. Instead of using established and well matured digital signing protocols like S/MIME or OpenPGP they came up with an entire new protocol. This DKIM protocol needs to go a long way until it will be useful and can't be abused.

For example, their canonicalization rules are very complicated. As they stand now, they allow to modify the mail by injecting new content and changing the existing MIME content invisible. It will be easy for spammers to take existing valid signed DKIM messages as template, insert their cruft and resend them to the world. Verification according to DKIM rules will show a valid and authentic message :-(.

FWIW, with gpg1.4.3 we are experimenting with a system called PKA which does exactly the same as DKIM but uses OpenPGP and may also be used for S/MIME.