From: Murray S. K. <ms...@se...> - 2007-04-20 00:13:26
|
Just out of curiosity, I wonder if a few of you could post some statistics like the following when you get a chance: # fgrep domainkeys= /var/log/maillog | wc -l 53 # fgrep domainkeys=pass /var/log/maillog | wc -l 43 # fgrep dkim= /var/log/maillog | wc -l 12 # fgrep dkim=pass /var/log/maillog | wc -l 11 So modulo any buggy implementations (I know ours has a few at least in libdk) this suggests there's a considerably larger DomainKeys deployment than DKIM (not surprising), but DKIM signatures survive to verification more often; 43/53 for DK is 81% while 11/12 for DKIM is 92%. Are your statistics similar? Maybe I should have something in dkim-filter and/or dk-filter that posts daily summaries about signature and success rates or some such. It might also be useful to collect and report data about things like: - which domains are signing with DKIM - which DKIM-verified messages are also spam or contain viruses - failures in each canonicalization mode |
From: Mike M. <mi...@ma...> - 2007-04-20 00:36:39
|
On Thu, Apr 19, 2007 at 05:13:19PM -0700, Murray S. Kucherawy <ms...@se...> wrote: > So modulo any buggy implementations (I know ours has a few at least in > libdk) this suggests there's a considerably larger DomainKeys deployment > than DKIM (not surprising), but DKIM signatures survive to verification > more often; 43/53 for DK is 81% while 11/12 for DKIM is 92%. > > Are your statistics similar? Not at all similar for me; I seem to see a far higher number of failures than you do, for both: $ grep -Fc domainkeys= /var/log/mail.log.0 503 $ grep -Fc domainkeys=pass /var/log/mail.log.0 336 $ grep -Fc dkim= /var/log/mail.log.0 71 $ grep -Fc dkim=pass /var/log/mail.log.0 38 $ grep -Fc domainkeys= /var/log/mail.log 363 $ grep -Fc domainkeys=pass /var/log/mail.log 221 $ grep -Fc dkim= /var/log/mail.log 50 $ grep -Fc dkim=pass /var/log/mail.log 27 More interesting data, though: $ grep domainkeys= /var/log/mail.log | grep -v domainkeys=pass | sed -e 's/.*; \(domainkeys=\)/\1/' | sort | uniq -c 104 domainkeys=fail 1 domainkeys=fail (no signature) 1 domainkeys=fail (no signature) (testing) 16 domainkeys=fail (testing) 18 domainkeys=neutral 3 domainkeys=permerror (bad format) $ grep dkim= /var/log/mail.log.0 /var/log/mail.log | grep -v dkim=pass | sed -e 's/.*; \(dkim=\)/\1/' | sort | uniq -c 18 dkim=fail (verification error: invalid key granularity `') 14 dkim=fail (verification failed) 3 dkim=neutral 21 dkim=permerror (bad format) -- Mike Markley <mi...@ma...> The explanation requiring the fewest assumptions is the most likely to be correct. - William of Occam |
From: Murray S. K. <ms...@se...> - 2007-04-20 00:43:52
|
On Thu, 19 Apr 2007, Mike Markley wrote: > $ grep dkim= /var/log/mail.log.0 /var/log/mail.log | grep -v dkim=pass | sed -e 's/.*; \(dkim=\)/\1/' | sort | uniq -c > 18 dkim=fail (verification error: invalid key granularity `') This is caused by "g=" having different semantics between DK and DKIM, and people using the same keys for both. An empty "g=" under DK meant "match anyone" while under DKIM it means "match nobody". What's being reported there is that someone tried to use such a key with a DKIM signature. > 21 dkim=permerror (bad format) These mean the headers were sufficiently malformed that dkim-filter either couldn't find a sender header of some kind (Sender: or From:), or it found such but couldn't extract a useable value from it. Probably spam or a virus. |
From: Ben L. <BL...@ch...> - 2007-04-20 00:58:12
|
These are my daily spamassassin stats, and are a good representation of the average verification rates: BAYES found 7112 times. KAM_ found 1801 times. SPF_PASS found 1708 times. TVD_ found 863 times. DCC_CHECK found 3873 times. DKIM_VERIFIED found 209 times. DK_SIGNED found 703 times. DK_VERIFIED found 337 times. SPF_HELO_PASS found 634 times. SARE_ found 1588 times. RAZOR2_CHECK found 3666 times. DKIM_SIGNED found 250 times. PYZOR_CHECK found 2454 times. DK: 48% DKIM: 84% To be fair, though, I do have a virus scanning milter that injects a new header, so any DomainKeys signed email that doesn't have a h= will fail automatically on my system. |
From: Murray S. K. <ms...@se...> - 2007-04-20 00:59:15
|
On Thu, 19 Apr 2007, Ben Lentz wrote: > To be fair, though, I do have a virus scanning milter that injects a new > header, so any DomainKeys signed email that doesn't have a h= will fail > automatically on my system. That's definitely an area where older DK implementations are vulnerable. |
From: Ben L. <BL...@ch...> - 2007-04-20 01:01:40
|
----- Original Message ----- *From:* "Murray S. Kucherawy" <ms...@se...> *To:* dkim-milter general discussion <dki...@li...> *Sent:* 04/19/2007 8:59:10 PM -0400 *Subject:* [dkim-milter-discuss] DKIM/DK statistics > That's definitely an area where older DK implementations are vulnerable. > > Thank god that (h=) became a mandatory part of the DKIM spec! |
From: Dick St.P. <stp...@ne...> - 2007-04-20 01:02:20
|
Murray S. Kucherawy writes: > Just out of curiosity, I wonder if a few of you could post some statistics > like the following when you get a chance: > > # fgrep domainkeys= /var/log/maillog | wc -l > 53 > # fgrep domainkeys=pass /var/log/maillog | wc -l > 43 > # fgrep dkim= /var/log/maillog | wc -l > 12 > # fgrep dkim=pass /var/log/maillog | wc -l > 11 > > So modulo any buggy implementations (I know ours has a few at least in > libdk) this suggests there's a considerably larger DomainKeys deployment > than DKIM (not surprising), but DKIM signatures survive to verification > more often; 43/53 for DK is 81% while 11/12 for DKIM is 92%. > > Are your statistics similar? loghost# grep domainkeys= /var/log/messages | wc -l 1262 loghost# grep domainkeys=pass /var/log/messages | wc -l 977 loghost# grep dkim= /var/log/messages | wc -l 144 loghost# grep dkim=pass /var/log/messages | wc -l 49 So I'm seeing 77% pass for DK and only 34% pass for DKIM. sendmail 8.13.8 dkim-filter 0.6.3 -- Dick St.Peters, stpeters@NetHeaven.com |
From: Mike M. <mi...@ma...> - 2007-04-20 01:06:15
|
On Thu, Apr 19, 2007 at 05:43:47PM -0700, Murray S. Kucherawy <ms...@se...> wrote: > > 18 dkim=fail (verification error: invalid key granularity `') > > This is caused by "g=" having different semantics between DK and DKIM, and > people using the same keys for both. An empty "g=" under DK meant "match > anyone" while under DKIM it means "match nobody". What's being reported > there is that someone tried to use such a key with a DKIM signature. Indeed; it appears that not everyone's gotten the word. > > 21 dkim=permerror (bad format) > > These mean the headers were sufficiently malformed that dkim-filter either > couldn't find a sender header of some kind (Sender: or From:), or it found > such but couldn't extract a useable value from it. Probably spam or a > virus. Indeed, most appear to be spam, at a glance. I might be missing something on one, though. It forged asd...@eb... in the envelope, and has no DKIM-Signature header. This did get logged: Apr 19 09:48:03 highhopes dkim-filter[16154]: l3JGlvFD021297: no From: or Sender: header; accepting So I'm not quite sure how that qualifies as a DKIM error (since ebay.com's TXT policy has t=y; o=~), unless dkim-milter has stripped the bogus signature (which it doesn't look like it does). Anyway, just qualifying the results :). Not all of the failures in my case were of a nature that's useful when considering adoption or survivability of signatures. -- Mike Markley <mi...@ma...> It's easier to wear the spandex than to do the crunches. - David Lee Roth |
From: Murray S. K. <ms...@se...> - 2007-04-20 01:09:06
|
On Thu, 19 Apr 2007, Mike Markley wrote: > Indeed, most appear to be spam, at a glance. I might be missing > something on one, though. It forged asd...@eb... in the envelope, > and has no DKIM-Signature header. This did get logged: Apr 19 09:48:03 > highhopes dkim-filter[16154]: l3JGlvFD021297: no From: or Sender: > header; accepting dkim-filter never sees the envelope, so that's not relevant. The "no From: or Sender: header" means those were actually not present (i.e. they never came into the filter via the mlfi_header() callback). Do you still have that message? > So I'm not quite sure how that qualifies as a DKIM error (since > ebay.com's TXT policy has t=y; o=~), unless dkim-milter has stripped the > bogus signature (which it doesn't look like it does). I doubt it even checked that policy, but I can't recall off the top of my head. If the message is that malformed, it should just skip the rest of all the DKIM activity altogether. |
From: Mike M. <mi...@ma...> - 2007-04-20 01:21:36
|
On Thu, Apr 19, 2007 at 06:08:59PM -0700, Murray S. Kucherawy <ms...@se...> wrote: > Do you still have that message? Attached. -- Mike Markley <mi...@ma...> Everyone is entitled to an informed opinion. - Harlan Ellison |
From: Murray S. K. <ms...@se...> - 2007-04-20 01:37:17
|
On Thu, 19 Apr 2007, Mike Markley wrote: >> Do you still have that message? > > Attached. (Based on off-list e-mail exchanges...) This is what the MTA does when it gets a message with no headers at all; it adds a From: based on the envelope sender, and a Date: based on the current date and time. (Depending on your sendmail.cf it may also add an Apparently-To:, etc.) However, dkim-filter only gets fed to it those headers which arrived via SMTP, not the ones sendmail implicitly adds. Thus, it never saw any From: header, hence the error message you saw in your logs. |
From: Mark M. <Mar...@ij...> - 2007-04-20 20:56:39
|
Murray S. Kucherawy writes: > Just out of curiosity, I wonder if a few of you could post some statistics > like the following when you get a chance: [...] > So modulo any buggy implementations (I know ours has a few at least in > libdk) this suggests there's a considerably larger DomainKeys deployment > than DKIM (not surprising), but DKIM signatures survive to verification > more often; 43/53 for DK is 81% while 11/12 for DKIM is 92%. > > Are your statistics similar? Since April 1 2007 till today (April 20): checked by Mail::DKIM module, which covers for both the DK and the DKIM signatures: $ pcregrep 'DKIM_VERIFIED' /var/log/amavisd.log | wc -l 10625 $ pcregrep 'DKIM_SIGNED' /var/log/amavisd.log | wc -l 15596 checked by Mail::DomainKeys, which deals with DK only: $ pcregrep 'DK_VERIFIED' /var/log/amavisd.log | wc -l 5666 indicating that 53% of verified signatures are DK, and 47% of verified signatures is signed by DKIM. Here is another interesting aspect: pcregrep 'DKIM_VERIFIED' /var/log/amavisd.log | \ pcregrep 'Passed (CLEAN|BAD-HEADER)' | wc -l 8591 pcregrep 'DKIM_SIGNED' /var/log/amavisd.log | \ pcregrep 'Passed (CLEAN|BAD-HEADER)' | wc -l 13268 pcregrep 'DKIM_VERIFIED' /var/log/amavisd.log | \ pcregrep '(Passed|Blocked) SPAM' | wc -l 2042 pcregrep 'DKIM_SIGNED' /var/log/amavisd.log | \ pcregrep '(Passed|Blocked) SPAM' | wc -l 2311 indicating that 19% of verified mail is spam! (either posted through yahoo, gmail, through kitted domains, or (less often) from genuine permanent domains). The light side of the coin: 100 * (DKIM_VERIFIED-and-clean) / (DKIM_SIGNED-and-clean) = = 100*8591/13268 = 65%, i.e. 65% of signed clean mail verifies. And the dark side of the coin: 100 * (DKIM_VERIFIED-spam) / (DKIM_SIGNED-spam) = = 100*2044/2311 = 88.5% of signed spam verifies! (mostly kitted domains and yahoo) Mark |