Incoming SMTP in the year 2017 and absence of DKIM
Grant Taylor
gtaylor at tnetconsulting.net
Wed Nov 29 20:44:23 UTC 2017
On 11/29/2017 01:17 PM, Michael Thomas wrote:
> Remember: if you treat a broken signature better than lack of signature,
> spammers will just insert phony signatures to game you.
>
> So they really are the same.
Yes, they are /effectively/ the same. However it is possible to
distinguish between a broken DKIM signature and the lack of a DKIM
signature.
What you do with that information is up to you. - Guidelines suggest
that you treat them the same. (Thus them being /effectively/ the same.)
> The real problem with large enterprise that we found, however, is that
> it was really hard to track down every 25 year
> old 386 sitting in dusty corners that was sending mail directly instead
> of through corpro servers to make certain
> that everything was signed that should be signed. Maybe that's gotten
> better in the last 15 years, but I'm not too hopeful.
I hear you, and I don't disagree with your sentiments about the
difficult of the matter. However, I find it highly suspect that such
systems ancient are still in use. There may very well be replacements
for said systems that are < 20 years old.
Either way, they would still run afoul of things like SPF (unless you
allow your entire IP space to send email).
There are other security / vulnerability implications of such
infrastructures. - I'd argue that they are motivation enough to
wrangle these rogue systems.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20171129/325b4372/attachment.bin>
More information about the NANOG
mailing list