Incoming SMTP in the year 2017 and absence of DKIM

Grant Taylor gtaylor at tnetconsulting.net
Wed Nov 29 20:44:23 UTC 2017


On 11/29/2017 01:17 PM, Michael Thomas wrote:
> Remember: if you treat a broken signature better than lack of signature, 
> spammers will just insert phony signatures to game you.
> 
> So they really are the same.

Yes, they are /effectively/ the same.  However it is possible to 
distinguish between a broken DKIM signature and the lack of a DKIM 
signature.

What you do with that information is up to you.  -  Guidelines suggest 
that you treat them the same.  (Thus them being /effectively/ the same.)

> The real problem with large enterprise that we found, however, is that 
> it was really hard to track down every 25 year 
> old 386 sitting in dusty corners that was sending mail directly instead 
> of through corpro servers to make certain 
> that everything was signed that should be signed. Maybe that's gotten 
> better in the last 15 years, but I'm not too hopeful.

I hear you, and I don't disagree with your sentiments about the 
difficult of the matter.  However, I find it highly suspect that such 
systems ancient are still in use.  There may very well be replacements 
for said systems that are < 20 years old.

Either way, they would still run afoul of things like SPF (unless you 
allow your entire IP space to send email).

There are other security / vulnerability implications of such 
infrastructures.  -  I'd argue that they are motivation enough to 
wrangle these rogue systems.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20171129/325b4372/attachment.bin>


More information about the NANOG mailing list