[ietf-dkim] list vs contributor signatures, was Wrong Discussion
steve at wordtothewise.com
Thu May 27 14:22:42 PDT 2010
On May 27, 2010, at 12:46 PM, Brett McDowell wrote:
> On May 26, 2010, at 11:28 PM, Steve Atkins wrote:
>> I'm pretty sure that ADSP as-is is a bad tool to solve any particular problem.
>> But given it's not being proposed to solve any concrete problem, it's
>> hard to discuss whether there's a better solution.
> Are you deliberately ignoring the data I provided... at your request for data?
Not at all. It's interesting, but it's only marginally related to ADSP.
You're taking data based on a private relationship at a small number of
consumer ISPs, for a very specific subset of mail and using that as
data to directly support a protocol based on self-publication by a large
number of different parties that would be acted upon by more than
just a couple of consumer freemail providers. (If that weren't the
case, there'd be no point in standardising a self-publication approach
such as ADSP).
Additionally, the data you've provided that I've seen isn't that useful
as it only provides one of the four useful numbers in the legitimate vs
phish, rejected by ADSP vs not rejected matrix.
To give you a bit more idea of what I mean by that, I've pulled some
data out of my mailbox, looking at emails that were both legitimate paypal
mail, and which were clear phish emails targeting paypal. For each of
those I worked out whether it would have been accepted or rejected
based solely on ADSP dkim=discardable if they'd been signed when sent.
I'll write up the methodology in a little more detail, but out of my sample
the initial data is:
Legitimate email from paypal:
72% rejected by ADSP
28% not rejected
Phishing emails using "paypal" in the From line:
39% rejected by ADSP
This is based on mail to my mailbox, but other than that it's a pretty
fair sample, if anything it's fairly heavily skewed towards phish emails
that would be rejected by ADSP (as it's based on emails with the string
paypal in the From: line, which includes all phish mail that would be rejected,
but excludes quite a lot of phish mail that wouldn't be).
It's a small sample, but that means I've been able to identify and confirm
manually the status of each email. (It does ignore the fact that Paypal
acquires an awful lot of lookalike domains, partly because that's something
it's hard to analyze after the fact but mostly because "buy every domain in
every TLD that has my company name in it" is not a behaviour that scales
It's also based on sender behaviour before there's significant actual
filtering via ADSP. I would expect less mail, both legitimate and illegitimate,
to be rejected by ADSP as time went on.
That's real data, not theory, for the current state of the paypal related
mailstream as I personally see it. I think I can extrapolate from there
to what'll happen to that specific mail stream were ADSP to be widely
adopted, but that'd be speculation.
>> The original argument was that it would help deal with phishing, but
>> now even the strongest proponents are happy to explain that it will do
>> absolutely nothing to help with phishing
> I'm sorry, I'm not only arguing that it absolutely DOES help with phishing, I've provided real data (vs. theory).
> Steve, I saw you give a presentation in February and I was very impressed by both your technical knowledge and your overall common sense. I consider you both intelligent and wise. But I cannot explain the position you've taken on the ADSP issue on this mail list.
I think DKIM is a Good Thing that should be widely deployed. ADSP is
broken in many respects, and because it's tied to DKIMs mindshare
that brokenness deters DKIM adoption. So I believe that ADSP needs
to be fixed or it needs to be allowed to die.
> What other solutions on top of DKIM would you like to see the Internet adopt instead of ADSP... something open, interoperable, and royalty-free I hope!
I can think of several, and I'd be more than happy to sit down and discuss
them at some point over a beer, but I'm hearing enough grumbling from
the chairs about what's on topic and what isn't already.
 Domain whitelists
operated by FDIC, D&B etc, for real businesses in a particular niche, or
certificates based on vetting, a-la the green bar are two obvious ones,
though. The green bar and extended verification certs is what PayPal
is really relying on to avoid phishing right now, AFAICT. It's simple
and effective and easy for consumers to understand.
More information about the ietf-dkim