Re: Domain reputation

From: Murray S. Kucherawy <>
Date: Wed, 8 Jun 2011 15:48:42 -0700 (PDT)

On Thu, 9 Jun 2011, Rolf E. Sonneveld wrote:
> I'd be interested in participating in these efforts, both as editor of
> (parts of (some of)) the documents as well as participant in experiments
> with reputation data.

Fantastic! It would help to support the creation of the working group if
you were to post something like that to "domainrep". (I know you're
already subscribed.)

> The data that DKIM provides needs judgement before it can be turned into
> reputation data. The mere fact that a message carries a valid DKIM
> signature doesn't tell whether the d= domain belongs to a good guy or a
> bad guy. What is your vision on that part of the picture, especially in
> the light of what has been discussed before, that is: many sites run AS
> software and the DKIM data comes only from the messages, that passes the
> AS filters. We might be interested also in the messages, that already
> were stopped due to DNSBL's, greylisting etc.

This idea was why I asked a week or more ago about the context in which
OpenDKIM is being run by sites that report statistics to us. It's
important to understand that when making use of the data; any system we
come up with has to include in its definition those premises.

At least at my own server, the anti-spam software doesn't reject spam, but
merely tags it. OpenDKIM can see the tags and reports them alongside the
"d=" domain from a validated message. It's fine for such mail to
actually be rejected as long as it's captured by statistics reporting

This setup allows some simple things like identifying which signing
domains are typically associated with spam, and the intuitive approach
then is to put those on a blacklist. The experiments I'm doing start
there. Correlating that against IP addresses can feed into IP block lists
or RBLs, which are more efficient than DKIM-only systems.

Ultimately, though, I think we can be smarter about this. I don't think
blacklisting at the domain level is helpful at all since signing domains
are discardable, meaning once one attracts a negative reputation it can be
trivially sidestepped. In that sense, a negative domain is basically the
same as no domain.

What I believe domain-level reputation is better for doing is identifying
sources of good mail, and giving them preferential treatment. To do that
in any kind of centralized way, even one database serving a single
organization, we need a protocol to ask the questions and deliver the
answers. That's how I think the two of these things fit together so well.

And, as a final point, the set of "good" domains isn't affected by filters
that reject spam or bad IP addresses, because they aren't on that list
anyway. So basing these experiments on filtered data only means "bad"
sources have already been excluded.

Received on Wed Jun 08 2011 - 22:48:57 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:20:18 PST