macquigg at ece
Oct 14, 2009, 3:08 PM
Post #43 of 63
(2649 views)
Permalink
|
Ian Eiloart wrote:
> --On 13 October 2009 10:25:15 -0700 David MacQuigg
> <macquigg [at] ece> wrote:
>> Ian Eiloart wrote:
>>> --On 13 October 2009 13:39:44 +0200 Alessandro Vesely <vesely [at] tana>
>>> wrote:
>>>> David MacQuigg wrote:
>>>>> Ian Eiloart wrote:
>>>>>> If SPF fails, then look for a DKIM signature. If you get a good one,
>>>>>> you're likely seeing traditional forwarding.
>>>>>
>>>>> Or forwarding by a crook. What prevents a spammer from sending a
>>>>> billion ads for Viagra, all with a valid DKIM signature from a
>>>>> reputable
>>>>> domain? All it takes is one signed message. The rest can be copies,
>>>>> "forwarded" via a botnet.
>>>
>>> Nothing prevents that, but the only purpose it would serve would be to
>>> harm the reputation of the original signer, or to increase the income
>>> of the original signer. The spammer could derive no benefit, since the
>>> advert would not route the buyer through the spammer's reward system.
>>
>> Most of the spam hitting my receiver at box67.com does not depend on a
>> reply to a verified address. The spammer or phisher benefits when you
>> click on a link, or buy a stock, or change your thinking on a political
>> issue.
>
> That's not relevant. The message is still from the original sender,
> and still benefits the original sender, because the body of the
> message is signed.
If a spammer gets a free account at Yahoo, and sends himself an ad for
Viagra, an ad with a link to a phony website that does nothing but
collect credit numbers, how does Yahoo benefit?
Let's try to avoid ambiguous words like "sender". In this case, we have
an author (the spammer) and a signer (Yahoo). Clearly the author
benefits in getting a DKIM signature from a reputable domain, but how
does Yahoo benefit?
>> As for the reputation of the original signer, it won't suffer much.
>> Most
>> receivers have enough common sense to not blame Yahoo for one spam
>> slipping past their filters. Lowering Yahoo's reputation would only
>> harm
>> the receiver's filtering process.
>
> That's a good point. For large ESPs, you have to do the reputation
> assignment by some part of the signed content of the message, perhaps
> the From address. But, the DKIM signature allows you to do that for
> addresses in the signing domain.
These addresses are worthless. You can get 1000 free accounts for less
than a penny each ($2 to break 1000 CrAPTCHAs). http://decaptcher.com
>>> Now, let's get more specific. Suppose the original message were sent
>>> from a gmail account set up for the purpose. You're proposing this
>>> mechanism to route around rate-limiting, or other bulk mail detectors
>>> on the gmail server. That's fine, it'll do that. And who's reputation
>>> suffers? Not gmail's, but the sender address. With a sufficiently
>>> responsive reputation infrastructure, the sender address will quickly
>>> acquire poor reputation.
OK, I think I understand now what you mean by "sender". Sender
(individual author) addresses are worthless to identify bad senders.
See above.
>> Most spam is transmitted by zombies in a botnet. Gmail is an exception.
>> Their reputation is suffering, because the spam is coming directly from
>> their authorized transmitters.
>
> Yep. Botnets can be reasonably deal with using IP reputation
> assignment. That's not true for the large ESPs, because the IP
> addresses are shared with good and bad senders. Similarly for large
> ESP domains.
???
-- Dave
-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/]
Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
|
