While I agree with Sam's analysis there are additional controls possible
that should be mentioned:
1) The ISP has categorical proof that the message was sent by the identified
This provides the ISP with a way of being able to determine whether
or not a complaint made against a user is genuine or the result of
2) Users who need to send mission critical messages that must get through
have a means available.
False positives are not equal in importance. An Internet consultant
specializing in say being an expert witness in Internet crime cases would be
rather upset if their response to an RFP did not get through because it was
blackholed on an RBL. Such a user or any enterprise who needs to get their
message through has a means available.
3) A replay message cannot be modified without breaking the signature which
thus serves as an effective blacklist.
If we know that the message comes from ISP X which allows no more
than 50 messages an hour and we see 2,000 in a minute we know that a spam
run is in progress.
4) An overt act of fraud has been committed in contravention of CAN-SPAM and
A replay attack is a criminal act of fraud. That provides subpoena
5) A phishing message from anybank(_at_)yahoo(_dot_)com is not exactly
[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org] On Behalf Of Sam
Sent: Thursday, February 10, 2005 4:43 PM
To: John Levine
Cc: ietf-mailsig(_at_)imc(_dot_)org; fenton(_at_)cisco(_dot_)com
Subject: Re: MASS Security Review document
"John" == John Levine <johnl(_at_)iecc(_dot_)com> writes:
John> Most of it's pretty good, but section 4.1 on replay
John> just wrong. It misunderstands what signatures do.
I've just reread it. I think everything in section 4.1 is
correct and accurate.
You may not know how to solve the problem; you may know that
you cannot solve the problem. However it is a real problem
and it will have the effects described in Russ's draft.