On Jun 1, 2006, at 9:50 PM, John Levine wrote:
I said earlier that the ISP could quarantine outgoing mail until the
confirmation succeeded. Even better would be to reject the mail in
the smtp transaction from the user to the ISP with a comment that a
confirmation email has been sent to the From address.
What a complete waste of effort. If I were an ISP using DKIM, I would
be sure there was a header in my outgoing mail with enough info to
identify the customer (opaque token is fine), and include it in the
signature. Then if a recipient objects, I know who the guilty party
is regardless of what address he used.
I did state in my first post:
It may help to preemptively address the forgery issue if the ISP
were to insure that the From address were valid before signing the
message. But this is an issue between the ISP and the user.
I'm not suggesting that ISPs should be required to filter addresses.
Just that for some ISPs it may be beneficial.
Because a DKIM signatures can provide indelible proof that abuse
originated at a specific ISP, they are going to put added pressure on
ISPs to control the abuse. Even after the ISP boots the abuser the
evidence of the abuse will still exist.
Handling abuse after the fact will be fine as long as the cost to
establish an account at your ISP is greater than the perceived
benefit of using the account for abuse until it gets shut down. On
the other side, what if your ISP gets hit with a flood of abuse
reports claiming that your users are using forged addresses.
-- Dan Oetting
Asrg mailing list