[ietf-dkim] Not exactly not a threat analysis
mlibbeymail-mailsig at yahoo.com
Wed Aug 24 13:53:39 PDT 2005
>> There's a lot more information available about domain names than about IP
> I disagree.
>> e.g. via whois, via the domain's NS records, etc. This
>> information can be used to bootstrap a reputation in a way that defends
>> against the use of throwaway domains by spammers.
> For through-away domains whois data is not reliable (and that just like
> with email there is no protection against using somebody else's address)
> and ns servers could simply be default ones provided by domain registrar.
> OR often point to compromised machine (zombie, hacked server, compromised
> dns service, etc) and with changes introduced by Verisign this year they
> can now be quickly (within 15 minutes) changed whenever the compromised
> machine is discovered and filtered (which is exactly what happens to
> phish email used domains I've investigated).
Not sure how this follows. Just because some information associated with
domains are not 100% reliable doesn't mean that there is less information.
The fact that a domain's NS record points to a zombie IP is information very
useful information at that. IP addresses do not have perfectly realible
associated information either (rDNS, throwaway IPs, compromised machines,
misconfigured proxies, multipurpose smtp machines, etc), but this doesn't
make IPs worthless. Savvy anti-high volume email deployers will use any
information they can to make a better decision -- including the lack of
More information about the ietf-dkim