[ietf-dkim] ADSP stats
hsantos at isdg.net
Thu Apr 21 02:55:28 PDT 2011
Murray S. Kucherawy wrote:
> There has been no uptake at all in OpenDKIM for ATPS, and almost
> none is apparent with ADSP, although in the latter case our data
> can only give a range for adoption because we don't query when an
> author signature passes. I could tighten that down by running
> five figures worth of TXT queries if we really feel the need to
> be more accurate.
Why not run a series of test where every AUID is looked up?
But if you wish to be more selective, the measures need to show the
value of the DKIM declarations or lack there of and how policy
semantics can be used as an expectation failure. In other words, the
proof of concept. How you fold them depends on how you to break down
the types of violations.
IMV, there are three types of security concerns:
Legacy Domain Mail Abuse
DKIM Adaptation: 1st party signer abuse (facsimiles)
DKIM Adaptation: 3rd party signer abuse
The #1 benefit of DKIM is its potential to immediately impact the
legacy domain mail abuse problem. It addresses the non-DKIM aware
abusers of domain existing today. So measuring messages with no
DKIM-Signature is very useful.
Then you have the adaptation of DKIM abusers and there are two
potential related "Cry Wolf" exploits:
Those trying use 1st party unhandled failure
Those trying use valid 3rd party signers
The first one tries to leverage the uncertainty of DKIM and the second
one tries to water down trust using unrecognized signers that are
displayed to used even if it just says "Signed by: trustme.com"
The hard part of any measures is the exclusivity value of one method
over another. So its not just about measuring how many domains are
using ADSP, but showing the proof of concept in how can DKIM can help
domains by analyzing your statistics.
For example, DNSRBL rejections may be 30%. What if we turned that
off? Could we get the 30% back using DKIM/ADSP? Greylisting does 66%
on our system. Can DKIM/ADSP cover that if Greylisting was disabled?
Same with SPF and so on.
For many system, it is hard to turn off the filters just to get a DKIM
impact measurement and the odds are very good by the time the payload
is accepted, its already good mail or indeterminate.
But if you just want to a grand total of all the domains collected,
just do an initial ADSP for all of them up front. That will allow
you to break it down including asking NON-ADSP what if questions. For
30% are 3rd party signatures.
How many of these are recognized good guy signers?
How many of these are unrecognized signers?
That measurement can start with a text list file of industry trust
vendors and other eye balled well known trusted 3rd party and/or list
Another measurement might be how many of the AUID are signed by
different SDIDs? One AUID has messages always signed by one SDID
versus another AUID with messages signed by many different SDID. Is
there any significant to that? Could that show how as exploited AUID
can use ADSP to protect against multiple SDID signing exploits?
Hector Santos, CTO
More information about the ietf-dkim