Bye Bye Spam and Phishing with DKIM?

ppadala writes "While research from PEW Internet (PDF) shows that few users really are bothered by spam, IETF is supporting a public key cryptographic based e-mail authentication mechanism called DomainKeys Identified Mail (DKIM) Signatures . The new spec is supposed to help in fighting both spam and fraud. From Ars Technica: 'DKIM's precursor, DomainKeys, was originally developed by Yahoo. The specifications for DKIM were then extended by an informal group of IT organizations that included companies like Yahoo, Cisco, EarthLink, Microsoft, and VeriSign, among others. It was first submitted by the group to the IETF in mid-2005, but only recently published by the IETF. The spec is still to be incorporated into a more formal draft and submitted for approval, however.'"

It's only a server validiation solution

[jimpop]

It's only a server validiation solution. DKIM won't stop spam. DKIM will only help validate the identity of the server that is sending you email. Right now I get lots of spam from legitimate Yahoo, Mail.com, and Hotmail servers. DKIM isn't going to stop that it's only going to reinforce what I already know.

Re:It's only a server validiation solution

[MightyMartian]

A quick read of the RFC tells me that this is simply a more computationally-intensive variant of SPF. It still requires rewriting the headers for forwarding, will likely not have the degree of adoption so that anyone in charge of a mail system actually feels confident enough to use it as another weighting factor for testing spam, and still leaves those sitting behind systems that still force users with outside email addresses to use their mail servers. The mere fact that any such system (SPF, DomainKeys or whatever) has to essentially remain completely compatible with older SMTP-based systems means that it really won't solve the problem. The underlying SMTP relay system has problems, and Domain Keys and SPF are just kludgy solutions that really are limited in what exactly they can solve.

few users

spam bothers few users

Dunno about anyone else, but as the admin for our company, I get more complaints about spam than anything other single item I can think of...

Sooooo close... but not going to work.

[NerveGas]

    My initial thought was "Terrific. This really has the potential to eliminate spam." Then I got to looking into the RFC... standard private/public key exchange. But, it allows for individual MUAs to posess the private key, such that they can perform the signature.

    This puts the entire burden of security in the scheme upon the MUA. So any time a machine is infected with the spam-virus of the day, that private key will be sent off to the spammers, who will send out floods of seemingly legitimately-signed email. Instead of just selling valid email addresses to other spammers, they'll sell addresses and domain keys.

    Furthermore, from an administrative perspective, that means that each time one of your user's machines is hacked and the private key compromised, you have to change your public/private keypair, including updating the MUA on *all* of your sender's machines.

    Forcing signing upon the MTAs eliminates much of that work (and hopefully the security exposure), but forces inconvenience on a good number of users. It's a tradeoff I'd be willing to make, but the RFC doesn't seem willing to do so.

Re:Will my ISP Quit Blocking Port 25, Finally?

[mi]

Will my ISP Quit Blocking Port 25, Finally?

If they "protect" your port 25, they are morons, and you should complain or switch the ISP. If they are blocking your attempts to reach other people's port 25, they should be commended.

Your system may be immune, but hordes of "zombies" would be sending spam from your ISP's network. As things stand, the zombies are still infected, but can not send e-mails directly to victims, which throttles the rate a lot.

You can still run a server — just configure your ISP's server as the "smart host". There is no shame in that.

Re:NO it isn't

[jimpop]

"DKIM is a message authentication solution"

OK, the message comes from Hotmail, Mail.com, Yahoo, etc. It's deemed by DKIM to be authentic, yet it is still spam (albeit authenticated spam). All DKIM, and similar solutions, does is to to prevent message and header manipulation in transit. If Yahoo, Mail.com, and Hotmail still allow spammers to sign-up for accounts how does DKIM solve the problem? At best, with full adoption, DKIM can show the world, authentically, who is sending spam. But, you still have a spam problem.

Re:Ah, yes the solution of the week

[gbjbaanb]

From what I've read about it.. my comments:

(x) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers nope, requires no coop from spammers, however you're right in that it requires everybody else to sign up to it. Usually these systems are a pie-in-the-sky 'nice idea', but the difference here is the backing of a standards body which will help takeup. Hopefully, enough implementations will crop up that it snowballs.

The email users bit is just tosh, lose business from where? viagra selling businesses? (x) Armies of worm riddled broadband-connected Windows boxes
(x) Extreme profitability of spam
(x) Joe jobs and/or identity theft
(x) Extreme stupidity on the part of people who do business with spammers
(x) Dishonesty on the part of spammers themselves
(x) Outlook Well, its true that the worms will get round this a little (in that the spammer will not be paying the generate-a-key cost), but it will stop joejobs - this really is the point here. Before, you'd send out a spam with a forged header saying it came from the whitehouse.gov, and when it got filtered and rejected, some poor sod at the whitehouse would receive the spam email that had been bounced from whoever you sent it to. This enables servers to tell if the sender is the sender, and can just delete the spam if it doesn't match.

True, MS isn't on the list, so Outlook may not support it ... pity.

The big problem is the high-takeup of the system, if not recipients will continue to have to check spam using the old familiar tools, and and DKIM-signed mails can be whitelisted as genuine (maybe not from a company you'd like to rceive email from, but at least you'll know for sure who they are).

This seems to solve 2 things that people have always said would fix spam - a small cost of sending a mail, and authenticaton of the sender.

Re:Here we go again...

The annoying thing about these spam forms that show up on Slashdot is that they seemed to be designed to end all debate and spread pessimism. If a plan is 100% perfect, then obviously it's useless, right? Further, most of the boxes you checked are absolute nonsense.

(x) Mailing lists and other legitimate email uses would be affected

Only for very broad interpretations of "affected". I assume what you're looking for is "legitimate email users whose ISPs don't sign messages may have their emails disregarded as spam"? If I've made an incorrect assumption, please correct me, but it's hard to interpret an actual coherent argument from your "form". In any case, if I have made a correct assumption, this all depends on the implementation, and you seem to be assuming that they'll implement this in the most naive way, that immediately we'll start treating all unsigned email as spam.

(x) It will stop spam for two weeks and then we'll be stuck with it

What?

(x) Requires immediate total cooperation from everybody at once

Absolutely 100% false. It simply gives an incoming server the potential for more information: did the message originate from the server it claims, or not? If it doesn't carry this information, no worries. Maybe initially, if an email is unsigned, we'll add 0.1 onto its spam score (using a SpamAssassin type scale). In 5 years, as more email servers jump on the bandwagon, we'll jump that up to 0.5 instead of 0.1. In 60 or 100 years, maybe we'll start filtering out unsigned email entirely. There are a million different ways to make use of this information, and it's dishonest to claim that "everyone has to start using it immediately"

(x) Many email users cannot afford to lose business or alienate potential employers

This is weasely way of say "every single spam solution ever devised is useless, because it might alienate someone". Progress happens. It's up to the business involved to decide how to implement this new strategy. There's always a balance between saving themselves money cutting down on spam and alienating customers. I trust that smart businesses will be able to decide this balance for themselves. It's just giving them another option.

(x) Lack of centrally controlling authority for email

This is a valid criticism. You need a web of trust somewhere. It'll be interesting to see how this plays out. It COULD be done in a decentralized manner, using existing web of trust ideas, but probably some centralized authority will be more appealing.

(x) Huge existing software investment in SMTP

No one's suggesting we get rid of SMTP.

(x) Extreme profitability of spam

What?

(x) Extreme stupidity on the part of people who do business with spammers

So what? We can't get rid of ALL spam. To do so would require that we define spam, which would likely put an end to free speech (in my opinion). If we can significantly reduce the impact of spam, that's pretty good.

(x) Dishonesty on the part of spammers themselves

This is exactly what the system will address. I don't follow you.

(x) Outlook

What? Are you suggesting Outlook will suddenly stop working?

(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical

True. That's too bad. I have hope that some day it might happen, though :)

(x) Whitelists suck

That would be an excellent point if only this system had ANYTHING to do with whitelists.

(x) Why should we have to trust you and your servers?

If I'm inferring from this correctly, you're saying that