[ietf-dkim] General Feedback loop using DKIM
sager at agitos.de
Fri May 29 00:04:31 PDT 2009
Franck Martin schrieb:
> I'm curious to see if the feedback loop mechanism could be extended
> using DKIM. ...
> This would provide a mechanism similar to FBL but allowing small
> receiving mail systems to participate.
with http://www.dkim-reputation.org we offered automatic FBLs for valid
DKIM signed messages in the following setup from approx. Sept 08 to Jan 09:
- feedback is provided for mails hitting a spamtrap
- destination address of the feedback: I discussed with Murray the use
of an r= entry (there was once a discussion about its use as reporting
address) but since this is not supported I chosed the following: a)
lookup the first public IP in the received header b) lookup an abuse
address in the whois entry of the IP
- the ARF reports contained headers with garbled destination addresses
to hide spamtrap addresses
- trusted signers get ungarbled mails: there is an extended mode,
offered in http://service.dkim-reputation.org that allows the sending of
feedback to registered users (so we have some control). Currently just
Google and Yahoo! wanted to get ARFs from us.
Why using abuse-addresses from the whois? 'Cause I expected that sending
feedback to the signer of the message could mean that I directly help
spammers to do list-washing.
LESSONS LEARNT with this setup:
1) even abuse-addresses in the whois lead to spammers: one wrote an
email to me and asked why content is garbled. I explained that I want to
hide destination addresses. He said he sends identifiers in the email
body that shows the destination address to him, so he removed the
spamtrap address. Maybe as a consequence of this open feedback the
spamtraffic in the spamtraps dropped a bit so I decided to switch open
FBLs off in Jan 09.
2) even datacenter's abuse contacts just forwarded the reports to the
3) ISPs like earthlink.net with a high spam ratio didn't respond to our
offer to send them FBLs (I think they didn't understand the system,
professionality in abuse departments is very different)
we just send ARFs to trusted, manually confirmed feedback addresses
(that were entered in http://service.dkim-reputation.org)
With this experience I think FBLs should be provided to a very coarse
granular entity on the network administration level. Some guys in our
email working group in Germany started http://www.abusix.de that sends
reports based on AS numbers. The according network administrators can
process ARFs (a) more professionally (b) are more likely farest away
from spammers (c) can escalate the processing internally if necessary
(d) would get more reports that can be aggregated and analyzed by
"significant peaks" (e) can take serious actions [McColo].
More information about the ietf-dkim