My point is, when coupled with a message replay, it doesn't need to
remail and sign a lot of spam. The mailing list can be a mechanism for
a spam message to gain a signature which is then replayed to a *lot* of
addresses (not just list subscribers). I'm concerned that there might
be enough potential damage to a domain's reputation to make people think
twice about hosting a mailing list. I'm not sure what the answer is
here; perhaps mailing lists need to (somehow) take weaker responsibility
for messages that pass through them.
I am at a loss to understand why people keep proposing schemes that have
no utility other than to help give a free pass to various kinds of spam.
If someone is rebroadcasting my list mail as spam, I don't see any benefit
to anyone to inventing a scheme that says "too bad, not my problem." The
solution is to figure out who's doing it and make him stop, or at least to
be more selective about who we allow to subscribe to the list.
The point of signatures is to get people to take responsibility for their
mail, and it seems utterly counterproductive to add loopholes that allow
people to evade that responsibility. Yes, sometimes people will misbehave
without our consent, but that means it's something we need to deal with,
not something to build a zone of permission around.
By the way, this issue is not unique to list mail. If I write to you from
my throwaway Hotmail account and ask "This is Betty Sue. Are you the guy
who left me at the altar ten years ago?" and you write back and say "no,
I'm not, I never heard of you", and I then rebroadcast a million copies of
your message, it's the same problem.
[ re checking whether list mail was signed before it passed through
the list ]
List C resends all mail from anyone that has a valid IIM signature,
subscriber or not.
I would expect lists A and B, using techniques unrelated to signatures
that have been around for many years, to earn much better reputations than
C doesn't make any sense; why wouldn't lists continue to allow only
subscribers to post (if that's their current policy)?
Of course C makes no sense. That's why it makes no sense to ask if list
mail was already signed, because if you did anything based on such a
check, you'd be saying that List C is the kind of mail you want.
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.