Re: [exim] Backscatter Spam Again. HELP PLEASE!

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: Matt
CC: Exim Mailing List
Subject: Re: [exim] Backscatter Spam Again. HELP PLEASE!
On 2008-03-05 at 15:26 -0600, Matt wrote:
> If you use it hopefully its less likely your messages will be marked
> as SPAM. I doubt DKIM is any better at blocking SPAM. They both do
> basically the same thing which is insure only authorized senders are
> allowed to send messages for a given domain.


At the USENIX 2007 meeting, some Sendmail folks held a BoF on use of
DKIM. In that, one of the presenters stated (paraphrasing from memory)
that some of the banks which have been targets of phishing attacks have
been going to the large ISPs to persuade them to (a) turn on DKIM
verification and (b) actively reject anything claiming to come from them
(the banks) which fails DKIM verification.

If this holds true, then it may be in practice that DKIM will be
necessary for phishing targets and just spam-score for everyone else, to
get mail through to big email providers, with manual lists of
DKIM-required.

In any case, turning on DKIM signing for outbound email for people with
small servers (such as I'm now using, since I'm no longer an ISP
postmaster) is a pretty definite win. Turning on DKIM verification has
some DoS possibilities which some people are very concerned about,
others less so.

For myself, I DomainKeys-sign outbound and verify inbound. Further,
later tonight (unless something intervenes) I'll try out the new Exim
snapshot which supports dual-signing (DomainKeys + DKIM). The problem
with DKIM before now has been transitioning in Exim, since you'd have to
disable DomainKeys in DNS and wait for that change to expire from caches
everywhere, before enabling DKIM. Being able to run both concurrently
provides a protected transition mechanism.

Myself, once I've transitioned to DKIM then I'll be inclined to put in a
learning DB with a tool which scans Exim logs for senders who used DKIM,
verifies that they're publishing DNS saying that they use DKIM
(non-testing) and then updates the DB to add that domain, so that future
mail from that domain will require use of DKIM. A learn-and-lock
approach. Perhaps with the ability to notice disappearing DKIM DNS for
those domains already in the DB.


Use of a search engine found someone's notes from the BoF:
http://www.l33tskillz.org/usenix2007/bof201/