Author: W B Hacker Date: To: exim users Subject: Re: [exim] DKIM, Mailing-lists and signing lengths
Ian Eiloart wrote: >
> --On 18 June 2010 16:05:07 -0400 W B Hacker <wbh@???> wrote:
>
>>> The presence of a good signature simply means that you can (a) apply some
>>> kind of reputation assignment to the message on the basis of: (i) the
>>> reputation of the signing domain, and (ii) reputations that might be
>>> applied to the signed content in the context of the signing domain.
>>>
>> That is the intent, certainly. And it is an honourable - even laudable -
>> intent.
>>
>> But the model is 'just flawed enough' to make it insufficiently reliable
>> to accomplish the intended goal 'enough better' than older means to make
>> it worth the not-insignificant extra effort.
>>
>> Enough admins realize that to decide not to bother with the added
>> complexity of just-one-more leaky bandage.
>>
>> The resulting low takeup, in turn means exponentially lower usefulness.
>
> "low takeup"? Last Friday, we accepted 39804 messages for delivery. Between
> them they carried 12685 signatures, of which 11138 verified. That's a
> verified signature for every 3.5 accepted messages. Not terribly low. Of
> course the usefulness increases with increased takeup, so I'm keen to see
> this spread.
>
>
'Pardon him, Theodotus....'
Roughly 32% - just under a third. HOWEVER ... one has to wonder how close the
experience of a University is to the 'general case'.
For example - what percentage of the traffic was intra-U Susses / inter-campus,
or inter-U Sussex and other-UNI.
Same again between/among 'major' ISP. How applicable are their inter/intra
percentages to the wide world of medium and small senders?
.. and - returning to the specific thread issue - just how many of the
good/broken ones - regardless of sending entity size or rank - were from
*Mailing List Manager* software?
>> Worse yet - it attracts enough of the malicious who apply a fake DKIM sig
>> that would not stand proper analysis that it behooves one to *penalize*
>> all DKIM signed arrivals with spam points 'just in case' - that being
>> cheaper than attempting a proper verifications that can fail.
>
> I don't really understand what you're saying here. 87% of the signatures we
> saw on Friday verified. Many of the rest were accompanied by good
> signatures. Yahoo Groups emails often seem to carry a good and a bad
> signature, for example.
13% wrong and/or 'confusing' could very well be a percentage that continues to
track - even if the percentage signed at all were to approach 100%.
A perfectly valid message can fail DKIM sig for any of many reasons - MLM's
adding 'to unsubscribe...' and the like arguably fairly high up on the list.
Hence this thread....
Further, I dispute just how 'useful' it would become even at 100% take-up.
Which is costly - and not necessarily to the alleged beneficiaries.
IF DKIM is to have significant value, 'many' sysadmins on 'many' systems would
have to be configured to participate - MLM's as well as MTA - even if their
usual traffic derives no benefit.
Penalizing the bystanders, so to speak. TANSTAAFL.
That is tantamount to a communications tax imposed on birdsong, and I don't see
it as collectible.
