Mission

Mission of DKIM Reputation project

The DKIM Reputation Project collects identities of particularly spammers that are sending DKIM valid mails to spam traps we are processing. We provide the reputation data to any anti-spam project for the inclusion in spam-filter chains as one more spam filter criteria.
How is the reputation data collected?

How is the reputation data built?

A spam hit first reduces the reputation of the sender address and gets more negative if more spam hits follow. Every time phase the negative reputation is reduced and becomes neutral again after some days. Domain reputations normally aren’t reduced if there are few spammers inside a mail domain. If there are too much spam sending adresses (many one-hit addresses) the domain is considered as a spam domain and its reputation becomes negative as well. Please see below “I am a big ISP and I fear you could block my ISP domain” in this context.
Who can use the collected data?

Anyone who provides anti-spam services (free or commercial) just ask us. At time, we export users/domains with 1st party signatures to Karmasphere and provide our full data (1st and 3rd party signatures) DNS Blacklist. Read more about how to use the reputation data.
What’s so special about DKIM identities?

First, we give an overview over classes of spam filter criteria:

(a) there are content filtering techniques that check on typical spam words, URLs that lead to known spam websites, invalid email formats or known finger prints of spam mail bodies
(b) there are delivery source filtering methods that currently check for invalid sending IPs.

Checking DKIM identities belongs to class (b). There are the following advantages in comparison to IP checks:

IP-checks are rather rough, there is no way to detect a spammer inside a valid IP block; DKIM identities refer to domains and can be related to single users by heuristics; the result is a more fine grained filtering method by DKIM identities.
IPs are easy to get for spammers, nearly for nothing (consider botnets). Instead, domains cost some money and the use of foreign domains is hard: it is complicated for spammers to manipulate foreign domain DNS data to use these domains for DKIM spamming. That means DKIM sets the hurdle one step higher for spammers and DKIM identities have a longer lasting lifetime.

With DKIM reputations I can stop known DKIM spammers, what?s the advantage for good DKIM senders?

There is only an advantage for good senders if their mail gets higher scores (i.e. more reliable delivery rates), precondition is (a) a valid DKIM signature (b) no hit in the DKIM reputation database. We think you don?t do anything wrong if you give a slightly better score to good DKIM senders, but we warn to increase this value too much. We think about adding positive reputation to some senders that we detected to be good senders. The important point is: although there are some whitelisted senders we must check their mail traffic to react on dynamical bad behaviour.

There is another point we will reconsider when the rate of DKIM signed ingoing mail increases: instead of raising scores for valid and not blacklisted DKIM senders, the score for not authenticated mail could be decreased. This creates more pressure to good senders to switch to authenticated mail and reduces the false-positive, not authenticated spam in the users? inbox. With this precondition DKIM signed, good mails could get the status of premium mail with higher delivery probability while sender of DKIM signed, bad mails could be excluded more effectively.

What do I have to do to sign correctly?

In any bigger network there are internet servers that send spam, directly or indirectly. As an example we are regularly checking mail that comes from our servers and detect spam that is sent by misused customer-webforms over our mailserver to external mailservers. In these cases it is necessary to assure unique identities for each customer in DKIM signatures. There is a d= param in the DKIM signature that specifies the signing domain (e.g. @isp.tld) and an i= parameter that specifies a unique DKIM identity. You could write customerId@isp.tld to i= to assure that this identity is the one that is published within the signatures on user level to DKIM filters, no matter which From or Sender header was set by the sending mail client.

The following example shows the problem with not using the i= parameter:

From: SYLVIE KOCHEM
Sender: Google Agenda
Subject: *****SPAM***** [Invitation] SALES OFFER !!! ALLUVIAL GOLD DUST – dim. 6 avr. 8am – 9am ()
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=google.com; s=beta;
h=domainkey-signature:mime-version:message-id:date:reply-to:sender:received:subject:from:to:content-type;
bh=lOkN2uN/X87qRMFobwiTNSnZALf7JvqL20dPBFWc/xo=;
b=L2sOv2hxv0gJsFS1QOqCk2koCBBvduQbB5yvdiCvuSwOUEgNxPdOBMj6LU4NZRyjuGlWH4mc9Sx3XkhwsoFPDA==
Authentication-Results: dkim=pass header.i= calendar-notification@google.com
[…]

Attention: let me start by introducing myself to you properly. I am Chief Kwabina
Ashanti, from Ghana- West Africa, i am a GOLD merchant, i own a local gold
mining company. And the reason why i am contacting you is simply because
our company, in the last couple of months has lacked mining & refining
machinery, and as a result the company can no longer produce in large quantity.

[…]

In this case the Sender header is used as the identity (header.i=calendar-notification@google.com) but the reputation project won’t add a black listing to this common address. Instead if google.com would use identifiers in the DKIM-Signature header (e.g. i=kochem.sylvie2) we could register a more precise user level spam hit.

Another idea is if you should answer not-authenticated mail with an authenticated response. We have lots of false spam hits by ?Delivery Status Notifications? that are sent out with a DKIM signature as an answer to a forged sender address (in our case a spam trap address). We doubt the sense to send authenticated responses to non authenticated senders, at least concerning auto responders. SpamCop agrees to this position .

False-Positives hurt in the DKIM-Reputation Project, what can be done against?

The fact that DKIM identities have a longer lifetime across several messages leads to more negative impact of erroneously black listed but actually not spamming senders. In our system the reputation curve of a spamming address is linear and continuously goes back to ?neutral? after 100 days. For this period of time we keep the referred spam mail as a proof in our database. If you contact us for a detailed examination of a spam hit we can review and re-rate a spam hit. At time our traffic is low so we don?t need an automated process for this.

Important: the bad thing about blacklists is copying one to another. We emphasize that revocation of reputation can only work properly if the data is synchronized frequently with our data source.
I am a big ISP and I fear you could block my ISP domain, is this comprehensible?

Yes, with more and more user hits inside a mail domain the reputation of the domain starts to become worse. For large mail domains (e.g. the top 10 000 domains) we compensate this effect by measuring the rate of these domains on global mail traffic. With this information we forgive more spammers per large domain than we accept for smaller mail domains.
I am an ISP, can you inform us if there is a spam hit under my signing domain?

Yes, we?d like to inform those who are responsible for DKIM signatures about spam coming from their network. We want to do this as a special service for those who are registered users in our system.

At the moment this service is still under development, but you can register with our open service tool to get already information if your emails are signed correctly.