> I think you are misunderstanding what the dkim reputation means, that it is some sort of value judgement for the company or people who own the domain. No, I understand that it's just one of the signals you use, but it is a very significant one. It wouldn't be a problem if it did not have a large impact on message delivery.
> If 90% of the messages we see with that DKIM domain are spam, then the reputation should trend to 10%. Correct. Problem here is disregarding a ton of basic checks, allowing attackers to fairly easily deploy such amounts of spam, that even a domain with large amounts of legitimate mail will get it's reputation wrecked. > You want us to have 100% rules like rejecting -all messages. We don't do 100% rules, certainly not for any long term basis. We mostly ignore -all, that's come up on this > list multiple times, it's generally the wrong choice. People forward messages, they aren't all DKIM replays. I don't expect simplistic measures like that from companies like Google. But you can definitely do A LOT better to detect attacks like this, especially now that they are drastically increasing in volume, as more and more spammers are "discovering" this. People do forward messages, but they are not adding fake Subject: lines on forwarded mail, and legitimate users follow your own mail guidelines to some degree. [image: Sender] Edgar Vaitkevičius, founder / CEO ed...@sender.net On Wed, Mar 2, 2022 at 9:47 PM Brandon Long <bl...@google.com> wrote: > > > On Wed, Mar 2, 2022 at 11:22 AM Edgaras | SENDER <edga...@sender.net> > wrote: > >> > This message was correctly marked as spam. >> >> This one was, but there are cases when they go to Primary tab. Sometimes >> they are moved to junk after delivery. >> >> > The DKIM reputation is taking a hit due to the spamming, but that is an >> accurate assessment on our part, as it is being used for sending spam. >> They wouldn't be used for that, if you guys would simply reject mail from >> IPs with no rDNS, or those in SPF -all. Right now it's a huge hole. >> >> > A quick glance at some IPs and the Networks from the SBL addresses you >> listed show very low reputation and lots of blocked messages. >> I don't know how your filters work on the inside, but it could be a very >> good signal to detect attacks like this one. >> >> > I assume the fact that dkim replay attack spam messages are winding up >> in the spam labels of our users isn't the actual issue that concerns you. >> No, that is not the problem. Problem is accepting mail from extremely >> shady sources and counting that mail as legitimately sent on the victim >> domain's behalf. >> > > I think you are misunderstanding what the dkim reputation means, that it > is some sort of value judgement for the company or people who own the > domain. > > What the reputation means is an approximation of the likelihood of a > message with that feature is spam or not. If 90% of the messages we see > with that DKIM domain > are spam, then the reputation should trend to 10%. We have plenty of > other reputation features we apply to the messages as well, such as the IP, > netblock, ASN, SPF domain > and dozens more. > > Prior to DKIM replay attacks, the DKIM domain reputation was a good proxy > for spam source control. Now, it is not. It isn't quite as bad as > "Advertised domain" (ie, domains in the body of the message), where we've > seen very common domains drop to very low reputation (linkedin.com, > imgur.com, bit.ly etc come to mind as many year old issues). SPF and IP > reputation have always been better proxies for spam source control. > > You want us to have 100% rules like rejecting -all messages. We don't do > 100% rules, certainly not for any long term basis. We mostly ignore -all, > that's come up on this list multiple times, it's generally the wrong > choice. People forward messages, they aren't all DKIM replays. > > Brandon >
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
