Re: [exim] Default enabling of dnsdb

Góra strony
Delete this message
Reply to this message
Autor: Phil Pennock
Data:  
Dla: exim-users
Temat: Re: [exim] Default enabling of dnsdb
On 2009-05-07 at 13:28 +0800, W B Hacker wrote:
> Of course. But the likelihood that the very sort of arrival you mention
> would ever be in the class of folks 'polite and professional' enough to
> tell us - by spf or otherwise - that they 'never sent' mail would be
> vanishingly small.

[....]
> True - one of the current challenges is Spam/malware crafted by experts
> who have studied and applied everything discussed here and on anti-spam
> lists. Still not common, but *very* professionally crafted to get under
> all manner of radar.
>
> But those folk will not be publishing records to help us avoid them.
>
> Quite the reverse - they will be trying to publish that which increases
> our 'trust'.


Bill, in both these cases, the people sending the mail are not the
owners of the domain.

The "sends no mail" DNS SPF record is for the domain owners to help keep
their domain name from being sullied by spammers and help admins deal
with the junk that arrives anyway.

Of course, spammers are still able to abuse the domains which do send
mail and the only fix for that is BATV and restricting empty envelope
sender to bounces only.

2% of rejections may not sound like much, but given a few thousand
rejections per day and the amount of spam making it through being around
0.1% of the volume of the rejections, at peak it's an order of magnitude
increase in what I have to wade through.

Thus, for me, dnsdb is useful and I think we should be encouraging such
a lightweight knob to be available and think of it as being about at the
level of ${readsocket} -- but (normally) more light-weight than that,
since DNS usually doesn't need to fall back to TCP.

> > I consider the cost of a DNS lookup to be less than the cost of
> > verifying a DomainKeys/DKIM signature and really to be small enough
> > that, at my current scale, it's worthwhile.
>
> Agree that. In 'early days' we actually *added* spamint points on header
> 'claim' of DK / DKIM or hashcash. Now we ignore all.


Oh, I may have misled you with my phrasing. I didn't mean to disparage
DomainKeys/DKIM. I use both. I just recognise that the SPF-nomail
check is lighter than that, so comes first.

I like DomainKeys and am trying, with difficulty, to like DKIM; now I
know why people were so opposed to policy being in the DNS of each
domain, it's so that third-parties can make money with RFC 5518 (Vouch
By Reference). Fortunately, nobody's forced to use that. Perhaps one
day draft-ietf-dkim-ssp-09.txt or a successor will make it to RFC
status and DKIM will reach feature-parity with DomainKeys.

I see hard value in being able to tie a received mail, even after being
forwarded, to a particular domain owner so that a reputation score can
be safely associated with a domain. DKIM doesn't mean not-spam, just
that you can have a new signal dimension upon which to score.

But that's moved firmly off-thread-topic.

-Phil