[Spambayes] RE: Yahoo's "domain keys" and spam
Ryan Malayter
rmalayter at bai.org
Mon Dec 15 11:15:03 EST 2003
[Seth Goodman]
> IMHO, this code belongs in the MTA's, not in SpamBayes. The
Agreed, the true value of this approach is filtering at the MTA level.
But there must be some method of establishing a "trust level" for
authenticated sending domains, otherwise all the spam-houses will simply
put public keys in their DNS, install the signing feature on their
MTA's, use "real" domains in their messages and continue as before.
SpamBayes could be very useful in maintaining a "statistical trust" list
of domains, which an organization could enforce at the MTA level if they
chose.
> Both the DNS lookup and
> the decryption calculation are very costly in terms of time
> per message, but it may still be worth it. That's your call.
This would be no more costly, really, than establishing an SSL
connection to a web site. The operations required are basically the same
as what Yahoo system would require:
1) DNS lookup
2) a download of a site certificate
3) cryptographic verification of a message
(in the case of SSL, this is the session key used
for the encryption. In the Yahoo case, this
would be verification of the signatures)
The Yahoo verification would also require the calculation of a hash of
several strings from the message header (sending domain, timestamp,
etc.), but this is computationally trivial once the mail message is in
memory.
Connecting to a commercial website via SSL (for example,
https://www.verisign.com), even with nothing in my DNS cache, takes much
less than 1 second over my company's T1. I would guess that performance
of message verification using Yahoo domain keys would be of similar.
Regards,
Ryan
More information about the Spambayes
mailing list