----- Original Message -----
From: "Douglas Otis" <dotis(_at_)mail-abuse(_dot_)org>
I suspect a significant constituency of users would desire
such freedom, while also appreciating improved protections.
How about the rights of the server? of the domain owner?
The US just got slammed with the new version of the SOBER e-virus spoofing
of the FBI.GOV domain.
If the FBI.GOV would used SPF or DKIM, it would of protected itself as a
deterministic method. The VIRUS would not got gotten its FOOT in the door
to be passed to USERS with your "take the first strike" ideas.
FWIW, for our WCSAP customers, they were protected via CBV (Call back
Verifier). We even were protected with a broadcast to our
Example rejection log!
0051122 00:16:05 version : 2.05 / 1.62
0051122 00:16:05 calltype : SMTP
0051122 00:16:05 ip address : 18.104.22.168
0051122 00:16:05 helo : mvnyqv.gov
0051122 00:16:05 mail from : department(_at_)fbi(_dot_)gov
0051122 00:16:05 rcpt to : sales(_at_)santronics(_dot_)com
0051122 00:16:06 sapcbv : total mx records: 1
0051122 00:16:06 try mx : smtp00.fbi.gov ip: 22.214.171.124
0051122 00:16:06 # connecting to 126.96.36.199
0051122 00:16:14 S: 220 ****00**********************
0051122 00:16:14 C: NOOP WCSAP v2.05 Wildcat! Sender Authentication
0051122 00:16:14 S: 502 Error: command not implemented
0051122 00:16:14 C: HELO mail.winserver.com
0051122 00:16:14 S: 250 smtp00.fbi.gov
0051122 00:16:14 C: MAIL FROM:<>
0051122 00:16:19 S: 250 Ok
0051122 00:16:19 C: RCPT TO:<department(_at_)fbi(_dot_)gov>
0051122 00:16:19 S: 550 <department(_at_)fbi(_dot_)gov>: Recipient address
This service is temporarily unavailable. Please
contact the recipient via other means.
0051122 00:16:19 C: QUIT
0051122 00:16:19 sapcbv : 550
0051122 00:16:19 smtp code : 550
0051122 00:16:19 reason : Rejected by WCSAP CBV
We got about 15 to 20 of these that I can see in my logs in the last two
Sorry, Doug, with your ridiculous idea and your rejection to use
deterministic methods, the harm would be MUCH GREATER across the board, by
passing the buck to the user.
Folks, lets get rolling with this stuff. I hope we are trying to cater TOO
much to the direct marketing association with a lean towards "user consent"
methods. I'm not against remove the rights of DMA. They have a right to
do business - AFTER the technical consistency of the transactions are
validated. It is to the DMA market best interest that they promote more
deterministic methods so the automated software can reduce the bad actors
promoting harm to systems, domains and end-users and we want to do this with
the UTMOST backward compatible matter. We need a simple DKIM+SSP idea that
even the FBI can use!!!
Hector Santos, Santronics Software, Inc.
ietf-dkim mailing list