John R Levine wrote in response to me:
My point is, when coupled with a message replay, it doesn't need to
remail and sign a lot of spam. The mailing list can be a mechanism for
a spam message to gain a signature which is then replayed to a *lot* of
addresses (not just list subscribers). I'm concerned that there might
be enough potential damage to a domain's reputation to make people think
twice about hosting a mailing list. I'm not sure what the answer is
here; perhaps mailing lists need to (somehow) take weaker responsibility
for messages that pass through them.
There's a related attack that actually worries me more. Suppose someone
sends some spam to (for example) an ietf.org mailing list, where it gets
[re-]signed. If this message is replayed widely, it looks like ietf.org
is generating lots of spam, and it didn't even come from a user with an
Uh, that's how it's supposed to work. If ietf.org manages their mail
system so poorly that they remail and sign a lot of spam, they deserve
whatever poor reputation that earns them. If recipients, for their own
reasons, want to accept mail from that domain anyway, I don't know anyone
who thinks that whitelists are going away.
C doesn't make any sense; why wouldn't lists continue to allow only
subscribers to post (if that's their current policy)?
But one thing I think hasn't been addressed adequately in any of the
proposals is whether or how a re-signer of a message indicates whether
the message they got had a valid signature (and from whom).
Why would that be useful? Consider these three scenarios:
List A is manually moderated by a live person who checks all the messages
before they're sent out.
List B gives passwords to its users which they have to include in mail for
it to be resent. (The list software strips the passwords, of course.)
List C resends all mail from anyone that has a valid IIM signature,
subscriber or not.
I would expect lists A and B, using techniques unrelated to signatures
that have been around for many years, to earn much better reputations than
As I think about it more, I'm not sure whether having an assertion that
the input to a mailing list was signed is useful or not. A, B, and C
above have nothing to do with that; it's more of a question whether you
could do anything useful with that assertion by the mailing list.