Thank you John for taking the time to put that together. On Jun 2, 2010, at 9:44 PM, John Levine wrote:
> I've been saving the DKIM signatures on mail sent to my inbox for > about the past year, so I did a little analysis on them. There's a > total of 71,000 signed messages that got to the procmail delivery > filter, signed by a total of 474 domains. I went through and looked > up the ADSP records for all of them. I found 51 ADSP records: > > 24 dkim=all > 19 dkim=unknown > 8 dkim=discardable > > A few had t=s but none of the discardables did. > > Let's take a look at those eight records. The number on each line is > the number of messages: > > 135 paypal.com dkim=discardable > 23 paypal.co.uk dkim=discardable > 7 intl.paypal.com dkim=discardable > 6 mail.julianhaight.com dkim=discardable > 4 undp.org dkim=discardable > 4 info.paypal.com dkim=discardable > 2 info.paypal.ca dkim=discardable > 1 info.paypal.co.uk dkim=discardable > > Six of them are Paypal, who presumably know what they're doing. > > Of the other two, mail.julianhaight.com is Julian's personal domain. > All of the mail from that domain came through a mailing list, which > tells us that he didn't follow the advice in RFC 5617. > > It appears that undp.org really is a branch of the United Nations, and > their mail management isn't very good. All four of those messages > came from the UNDP's mail servers, all four of them had return > addresses that appear to be individual users at undp.org, and all four > of them are spam or phish, presumably from botted PCs. Two of the > DKIM signatures verify, two don't, haven't looked hard enough to tell > why not, but they were broken when they arrived at my MTA. (Look at > the spamassassin lines, added at SMTP time.) > > They're all in my spam archive, so you can look at them yourself: > > http://spample.iecc.com/yjf/21798071 > http://spample.iecc.com/yvh/22631217 > http://spample.iecc.com/oga/22622255 > http://spample.iecc.com/gdx/22039445 > > Looking at the headers, this mail appears to have taken the same path > that real user mail would have taken, so discardable is wrong here, > too. Note that even though the mail is spam, the From: line addresses > are in the domain of the sending system, so for ADSP purposes, they're > OK, or would be if the signatures were good. > > I admit that this isn't a very big sample, but it does say that of > all the people who sent me mail in the past year, Paypal is the > only one who used ADSP discardable in a way that would would be > useful for inbound mail handling. > > R's, > John > _______________________________________________ > NOTE WELL: This list operates according to > http://mipassoc.org/dkim/ietf-list-rules.html _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
