Eric Rescorla wrote:
I really hate it when spammers use my name. As a sender, that's my
motivation for publishing records and finding a provider that will sign
--- Eric Rescorla <ekr(_at_)networkresonance(_dot_)com> wrote:
Scott Kitterman <scott(_at_)kitterman(_dot_)com> wrote:
That may be true from the receiver's perspective. From the signer/sender's
perspective the primary value of reducing identity forgery is defensive.
a sender, what I want is for the forger/spammer to use some domain other
than mine or the ones I'm responsible for. If signing with DKIM and
publishing a policy saying that all messages are signed with DKIM provides
sifficent deterrent for the forger/spammer to go elsewhere, then from the
sender's perspective it's a victory. It's the flip side of the same coin.
I see your point but I don't consider this to really be the important
factor. The primary cost to the (alleged) sender of forged spam is
the cost of processing bounces
Not at all. Processing bounces is a mere matter of computing resources that are
readily funded by high value domains. Does the cost of handling a billion
bounces per day have an impact on the bottom line of BankOfAmerica, I doubt it.
Scott's point, I think, is that he wants to protect the reputation of a high
value domain by making sure that only that high value domain can use that
identity. He is happy to let the scammers/phishers move to less protected
Can you explain what "protect the reputation of a high value domain" means
in this context?
Yes, there are other ways to deal with bounces from forged mail, but
they are not standardized and require the outbound SMTP server and the
MX for the domain to be run by the same organization. For domains not
large enough to run dedicated mail servers, that can be restricting.
Whether the 'reputation' of my domain is encapsulated in some automagic
reputation system or not, I stronly dislike misuse of my name and have
expended significant resources to make it stop (I currently publish -all
SPF records and that's working well for me).
What it means to me is that they go bother somebody else or in a perfect
world have to get their own domains. I also want to be able to help
people I'm sending to be able to whitelist my domain so my mail gets
through. I could sign all my mail with S/MIME today. I do sign a fair
fraction of it, but I still don't have a way to mechanize a policy
statement that says all mail from kitterman.com is S/MIME signed and
anything else can safely be ignored.
As a sender, that's as far as my interest goes. Enough strength in the
system and enough deployment to deter spammers is all I need. For
bigger targets like Ebay deterrence will be harder to achieve.