--On 21 June 2010 19:12:56 -0400 W B Hacker <wbh@???> wrote:
> Ian Eiloart wrote:
>>
>> --On 18 June 2010 16:05:07 -0400 W B Hacker <wbh@???> wrote:
>>
>>>> The presence of a good signature simply means that you can (a) apply
>>>> some kind of reputation assignment to the message on the basis of: (i)
>>>> the reputation of the signing domain, and (ii) reputations that might
>>>> be applied to the signed content in the context of the signing domain.
>>>>
>>> That is the intent, certainly. And it is an honourable - even laudable
>>> - intent.
>>>
>>> But the model is 'just flawed enough' to make it insufficiently reliable
>>> to accomplish the intended goal 'enough better' than older means to make
>>> it worth the not-insignificant extra effort.
>>>
>>> Enough admins realize that to decide not to bother with the added
>>> complexity of just-one-more leaky bandage.
>>>
>>> The resulting low takeup, in turn means exponentially lower usefulness.
>>
>> "low takeup"? Last Friday, we accepted 39804 messages for delivery.
>> Between them they carried 12685 signatures, of which 11138 verified.
>> That's a verified signature for every 3.5 accepted messages. Not
>> terribly low. Of course the usefulness increases with increased takeup,
>> so I'm keen to see this spread.
>>
>>
>
> 'Pardon him, Theodotus....'
>
> Roughly 32% - just under a third. HOWEVER ... one has to wonder how close
> the experience of a University is to the 'general case'.
>
> For example - what percentage of the traffic was intra-U Susses /
> inter-campus, or inter-U Sussex and other-UNI.
None of it was local mail. This isn't my MSA log. In general, the traffic
is from large well known service providers.
>
> Same again between/among 'major' ISP. How applicable are their
> inter/intra percentages to the wide world of medium and small senders?
>
> .. and - returning to the specific thread issue - just how many of the
> good/broken ones - regardless of sending entity size or rank - were from
> *Mailing List Manager* software?
>
>>> Worse yet - it attracts enough of the malicious who apply a fake DKIM
>>> sig that would not stand proper analysis that it behooves one to
>>> *penalize* all DKIM signed arrivals with spam points 'just in case' -
>>> that being cheaper than attempting a proper verifications that can
>>> fail.
>>
>> I don't really understand what you're saying here. 87% of the signatures
>> we saw on Friday verified. Many of the rest were accompanied by good
>> signatures. Yahoo Groups emails often seem to carry a good and a bad
>> signature, for example.
>
> 13% wrong and/or 'confusing' could very well be a percentage that
> continues to track - even if the percentage signed at all were to
> approach 100%.
>
> A perfectly valid message can fail DKIM sig for any of many reasons -
> MLM's adding 'to unsubscribe...' and the like arguably fairly high up on
> the list.
>
> Hence this thread....
>
> Further, I dispute just how 'useful' it would become even at 100% take-up.
>
> Which is costly - and not necessarily to the alleged beneficiaries.
>
> IF DKIM is to have significant value, 'many' sysadmins on 'many' systems
> would have to be configured to participate - MLM's as well as MTA - even
> if their usual traffic derives no benefit.
>
> Penalizing the bystanders, so to speak. TANSTAAFL.
>
> That is tantamount to a communications tax imposed on birdsong, and I
> don't see it as collectible.
>
> At least not from the birds.
>
> ;-)
>
> *snip*
>
> Bill
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see
http://www.sussex.ac.uk/its/help/
