On 13/10/11 14:05, Christian Grunfeld wrote: > > I was not specifically talking about dkim signed mails. It is clear > that body rewriting mess up sigs. It is also clear that phishers dont > use dkim ! >
Large numbers of spammers use DKIM. We've been under attack for weeks now by some outfit who is buying up old, "clean" IP subnets and using it to spew their non-pharma, really "clean looking" spam onto us - no RBL/SURBL hits for 3-5 *days*, getting scores from 0.5-3.0 - really tough - nothing to write content rules for. All of it DKIM signed and SPF'ed. I ended up building my own RBL just so we could catch it :-( > and if they do you have the certainty that the originating > domain has nothing to do with what the content claims to be !...unless > the phishing comes from the same domain ! (really bizarre) ! :D > Well, that's the case for the above-mentioned spam too. All the spam has links to websites that are part of the same domain as the email - running on webservers in the same subnets. :-( -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
