DKIM signatures with DCC

I've been using DCC to whitelist messages by DKIM signature for some
time now, and have been quite pleased with the results.  I keep the
sendmail headers in a separate file that's included into the
`whiteclnt' file.  They look like this:

    ok      substitute Authentication-Results electra.cc.umanitoba.ca; dkim=pass (1024-bit key) header.i=@...
    ok      substitute Authentication-Results electra.cc.umanitoba.ca; dkim=pass (1024-bit key) header.i=@...

DKIM signature validation is extremely useful for spam control because
it prevents forgeries.  Any signed and validated message from
USER@... is guaranteed to come from that
organization.  Forged messages from the same address will not pass
validation, even if they are DKIM-signed.  This is a great advance.
It eliminates all the spam that comes from herds of compromised home
computers.  This is especially important for phishing attempts.

Unfortunately, the presence of a valid DKIM signature does not
indicate that the message is not spam.  It only indicates that the
sending domain employs DKIM signatures.  E-mail marketing companies,
each with thousands of domain names, are signing their messages in
hopes that they will appear more legitimate.  This means that there's
no way to tell from the domain name itself if an organization does not
send spam, like a bank or a university, or if they are one of those
marketeers.

So far, I've only accumulated twelve domain names that I trust not to
send spam.  This number has to be greatly expanded to make DKIM
signatures truely useful.  How can we do this?  The usual answer seems
to be a reputation database of domain names, but I've still not found
such a thing.  I'm certainly willing to pay for it.  This is the
missing piece in the puzzle.

--
-Gary Mills-        -Unix Group-        -Computer and Network Services-
_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc

Vernon are you going to answer?

"Gary Mills" <mills@...> writes:
_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc

> From: "Chris Aseltine" <ophidian@...>

> Vernon are you going to answer?
>
> "Gary Mills" <mills@...> writes:
>
> > I've been using DCC to whitelist messages by DKIM signature for some
> > time now, and have been quite pleased with the results.  I keep the

> > Unfortunately, the presence of a valid DKIM signature does not
> > indicate that the message is not spam.  It only indicates that the
> > sending domain employs DKIM signatures.  E-mail marketing companies,
> > each with thousands of domain names, are signing their messages in

> > So far, I've only accumulated twelve domain names that I trust not to
> > send spam.  This number has to be greatly expanded to make DKIM
> > signatures truely useful.  How can we do this?  The usual answer seems
> > to be a reputation database of domain names, but I've still not found
> > such a thing.  I'm certainly willing to pay for it.  This is the
> > missing piece in the puzzle.

My answer is a useless rant about the lack of profit in selling genuine
honestly-really-never-sends-spam reputations.

If email reputations could work without manual whitelisting, then
consumer and business credit ratings would be used for detecting
good risks instead of avoiding bad risks.  In the real world, people
and businesses with excellent credit don't advertise it or even hide it
(e.g. by locking their credit bureau reports).  It's the others who
jump through hoops like maintaining several active credit cards all
below limit or blabbing all kinds of company confidential information
to any phone caller that claims to be from D&B.

Reputations are not fungible or even transitive.  Real reputations are
individual, and that implies that each user must decide which senders
(and so DKIM or other headers) are sending solicited or tolerated bulk
email.  Users who can't be bothered to make their own decisions should
be encouraged to use Microsoft or Google, which my tests imply blacklist
all mail except from senders who've done the equivalent of hiring help to
improve their FICO credit scores.

Even Microsoft and Google require users to help.  You can see that by
subscribing a Hotmail or Google mailbox to this mailing list and noticing
that it will go to your spam folder until you whitelist it.  (You'd
have to confirm the subscription by sending the key from somewhere other
than those two continuing sources of unsolicited bulk email or getting
me to whitelist the mailbox.)


Vernon Schryver    vjs@...
_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc

On Mon, Oct 26, 2009 at 08:44:23PM -0700, Earl Killian wrote:
> What about using DNSWL on the IP address? They have none, low, med,  
> high trustworthiness levels.

We do subscribe to Spamhaus' DNS-based blocklist.  They are
invaluable, and integrate nicely with DCC.  Most of our rejections
are based on their ZEN database now.  However, nothing compares
with cryptographic signatures like DKIM.  These prevent forgeries.
That's why we would like to make increased use of DKIM.

--
-Gary Mills-        -Unix Group-        -Computer and Network Services-
_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc

On Tue, Oct 27, 2009 at 03:30:12AM +0000, Vernon Schryver wrote:
It's also practical ecomomics, and I appreciate that.

> If email reputations could work without manual whitelisting, then
> consumer and business credit ratings would be used for detecting
> good risks instead of avoiding bad risks.  In the real world, people
> and businesses with excellent credit don't advertise it or even hide it
> (e.g. by locking their credit bureau reports).  It's the others who
> jump through hoops like maintaining several active credit cards all
> below limit or blabbing all kinds of company confidential information
> to any phone caller that claims to be from D&B.

Yes, this is perverse.

> Reputations are not fungible or even transitive.  Real reputations are
> individual, and that implies that each user must decide which senders
> (and so DKIM or other headers) are sending solicited or tolerated bulk
> email.

If the sender works for a bank, for example, they are subject to the
bank's policies on e-mail.  Employees of an organization are less
likely to send spam than are customers of an organization, for example.
Companies can fire employees, but they don't want to alienate their
paying customers.

> Users who can't be bothered to make their own decisions should
> be encouraged to use Microsoft or Google, which my tests imply blacklist
> all mail except from senders who've done the equivalent of hiring help to
> improve their FICO credit scores.

Yes, it seems that e-mail senders are willing to pay to improve the
`deliverability' of their e-mail.  Here's an example, taken from
a recent e-mail marketing message:

    http://www.isipp.com/iadb.php

At my organization, people complain about receiving spam.  They want
me to stop it.  I wonder if they are also willing to pay.  In any
case, I see now that waiting for somebody to compile a reputation
database is futile.  It looks as if we'll have to do this ourselves.
I'll see what sort of structure I need to make that possible.  DKIM
will still be the key to this treasure.

--
-Gary Mills-        -Unix Group-        -Computer and Network Services-
_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc

> At my organization, people complain about receiving spam.  They want
> me to stop it.  I wonder if they are also willing to pay.

Of course not.  The essence of Internet Economics is to foist your costs
off on someone else.  That's why we have spam in the first place.

> In any case, I see now that waiting for somebody to compile a reputation
> database is futile.

People are building them, but I doubt you'll find many being given away
for free.

R's,
John
_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc

DNSWL is a "white list", not a blacklist. I thought that was what you  
were looking for. I use both ZEN and DNSWL. Anything in DNSWL with a  
trustworthiness of "high" gets to skip greylisting for example.

I also use a couple of RHSBLs (they say whether the sender name (not  
IP)) is blacklisted. You would reject even DKIM validated sites if  
they were in the RHSBL.

I actually use SPF rather than DKIM, and I see lots of rejections from  
that. I have not investigated how to use DKIM. I guess I will look for  
a HOWTO.

-Earl

On Oct 27, 2009, at 1:36 PM, Gary Mills wrote:

_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc

On Tue, Oct 27, 2009 at 05:12:04PM -0400, John R. Levine wrote:
>
> >In any case, I see now that waiting for somebody to compile a reputation
> >database is futile.
>
> People are building them, but I doubt you'll find many being given away
> for free.

We are willing to pay for one, and to contribute to one.

--
-Gary Mills-        -Unix Group-        -Computer and Network Services-
_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc

> From: Gary Mills <mills@...>
> To: Vernon Schryver <vjs@...>
> Cc: dcc@..., ophidian@...

I fear the definition of "spam" there is not any and all unsolicited
bulk email, but the self-serving nonsense of lawful opt-out email
advertisers as fraud and other illegal junk but excluding lawful
unsolicited bulk email advertising.  My personal experience with
very large banks and credit card companies is that they use exactly
the same ESPs to send junk email I explicitly don't want as to send
"security alerts" and similar that I probably should want.  There's
nothing forged about junk advertising email that you've explicitly
declined from your bank or stock broker.  That makes using DKIM or
anything else to prevent forgery ineffective.

Concerning the general value of DKIM:
  - Spam from Google that has DKIM signatures, like the wanted email as
     well as the spam from my big bank and credit card company.
  - Should I spend the time and effort to make this mailing list DKIM
     signed, or would my time be better spent putting DNSSEC signatures
     on rhyolite.com and dcc-servers.net using the ISC DLV registry?
     (I've spent the few minutes needed to sign the zones, but haven't
     mustered the ambition to sign up at https://dlv.isc.org/ )
  - Are any of the ~830 mailing lists at umanitoba.ca found with an
     obvious search DKIM signed?  What about other mail from
     cc.umanitoba.ca?  Or would your time be better spent getting
     DNSSEC going on umanitoba.ca?


> Yes, it seems that e-mail senders are willing to pay to improve the
> `deliverability' of their e-mail.  Here's an example, taken from
> a recent e-mail marketing message:
>
>     http://www.isipp.com/iadb.php

The reports on "Secrets to Email that Gets Opened & Read" and "How
Engagement Metrics Influence Deliverability" on http://habeas.com/
are more ironically relevant to reputations and DKIM.  Didn't Habeas'
second or third business plan involve selling some sort of whitelist
service to spam targets?



} From: Gary Mills <mills@...>
} To: Earl Killian <earl@...>

} On Mon, Oct 26, 2009 at 08:44:23PM -0700, Earl Killian wrote:
} > What about using DNSWL on the IP address? They have none, low, med,  
} > high trustworthiness levels.

Would people consider it worthwhile for the DCC client programs,
dccm, dccifd, and dccproc, to honor DNS whitelists?  I'm not a fan
of http://www.dnswl.org/ or the general idea, but that doesn't mean
the code shouldn't support it if it would be used.


} We do subscribe to Spamhaus' DNS-based blocklist.  They are
} invaluable, and integrate nicely with DCC.  Most of our rejections
} are based on their ZEN database now.  However, nothing compares
} with cryptographic signatures like DKIM.  These prevent forgeries.
} That's why we would like to make increased use of DKIM.

A DNS blacklist (DNSBL) is as much a reputation system as any other.
The IP addresses in most DNSBLs are as practically unforgable as DKIM
signatures.  The problems with DNSBLs are that they list bad guys instead
of good guys and IP addresses are a little (but not a lot) more subject
to change than domain names.


> From: "John R. Levine" <johnl@...>

> > At my organization, people complain about receiving spam.  They want
> > me to stop it.  I wonder if they are also willing to pay.
>
> Of course not.  The essence of Internet Economics is to foist your costs
> off on someone else.  That's why we have spam in the first place.

including the individual personal costs of time and effort to
maintain private white- and blacklists.

You could build a local DNSBL that covers all of the Internet except
University of Manitoba IP addresses.  Then you could let people who
complain about spam turn it on in their individual DCC whiteclnt
files and add whitelist entries to those same whiteclnt files with
something like the proof of concept cgi scripts.


> People are building them, but I doubt you'll find many being given away
> for free.

as demonstrated by Spamhau' prices for their reputation databases
including ZEN.  Or DCC Reputations.


Vernon Schryver    vjs@...
_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc

On Tue, Oct 27, 2009 at 10:21:03PM +0000, Vernon Schryver wrote:
>
> } On Mon, Oct 26, 2009 at 08:44:23PM -0700, Earl Killian wrote:
> } > What about using DNSWL on the IP address? They have none, low, med,  
> } > high trustworthiness levels.
>
> Would people consider it worthwhile for the DCC client programs,
> dccm, dccifd, and dccproc, to honor DNS whitelists?  I'm not a fan
> of http://www.dnswl.org/ or the general idea, but that doesn't mean
> the code shouldn't support it if it would be used.

I would definitely use it. Whitelisting is probably the most maintenance-intensive part of using dccm and anything that somehow would mitigate the need of manual whitelisting by users would be welcome. And besides all that, there isn't much support in software for DNS whitelists at this time, adding support can only contribute to better and maybe more whitelists.


bart
--
_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc

On Tue, Oct 27, 2009 at 10:21:03PM +0000, Vernon Schryver wrote:
Yes, banks have marketing departments too.  However, they also listen
when their customers complain.  This can't be a big problem.

> My personal experience with
> very large banks and credit card companies is that they use exactly
> the same ESPs to send junk email I explicitly don't want as to send
> "security alerts" and similar that I probably should want.

Yes, I've seen that too.  The ease of contracting out your e-mail
announcements makes it attractive.  One used here even wanted our
signing key so they could make their mail look as if it came from us.

> There's
> nothing forged about junk advertising email that you've explicitly
> declined from your bank or stock broker.  That makes using DKIM or
> anything else to prevent forgery ineffective.

That is actually a big step forward.  Once an organization signs their
e-mail, they become accountable for it simply because it can't be
forged.  If they don't respond to complaints, they can be delisted or
downgraded in a reputation database.

> Concerning the general value of DKIM:
>   - Spam from Google that has DKIM signatures, like the wanted email as
>      well as the spam from my big bank and credit card company.

This is true.  However, the origin of the e-mail is no longer in
question.  `abuse@...' does respond to complaints.  So far,
we haven't whitelisted Google by DKIM signature, although we could.

>   - Should I spend the time and effort to make this mailing list DKIM
>      signed, or would my time be better spent putting DNSSEC signatures
>      on rhyolite.com and dcc-servers.net using the ISC DLV registry?
>      (I've spent the few minutes needed to sign the zones, but haven't
>      mustered the ambition to sign up at https://dlv.isc.org/ )

I assume these are unrelated actions.  If you signed the mailing list,
it would make it easier for me to whitelist it.

>   - Are any of the ~830 mailing lists at umanitoba.ca found with an
>      obvious search DKIM signed?  What about other mail from
>      cc.umanitoba.ca?  Or would your time be better spent getting
>      DNSSEC going on umanitoba.ca?

So far, we are not signing outgoing-email.  It's easy for me to enable
it, though.  Some uses of e-mail may break when I do that, but
eventually I'll have to.  This points out a problem, of course.
Senders have to sign e-mail in order for recipients to check it.

[..]
> A DNS blacklist (DNSBL) is as much a reputation system as any other.
> The IP addresses in most DNSBLs are as practically unforgable as DKIM
> signatures.  The problems with DNSBLs are that they list bad guys instead
> of good guys and IP addresses are a little (but not a lot) more subject
> to change than domain names.

In a sense that it true.  I'd prefer something independant of a DNSBL
so I can use both together.

--
-Gary Mills-        -Unix Group-        -Computer and Network Services-
_______________________________________________
DCC mailing list      DCC@...
http://www.rhyolite.com/mailman/listinfo/dcc