[Top] [All Lists]

Re: [Asrg] Third party DKIM signatures

2006-06-02 11:08:47

On Jun 1, 2006, at 9:50 PM, John Levine wrote:

I said earlier that the ISP could quarantine outgoing mail until the
confirmation succeeded. Even better would be to reject the mail in
the smtp transaction from the user to the ISP with a comment that a
confirmation email has been sent to the From address.

What a complete waste of effort.  If I were an ISP using DKIM, I would
be sure there was a header in my outgoing mail with enough info to
identify the customer (opaque token is fine), and include it in the
signature.  Then if a recipient objects, I know who the guilty party
is regardless of what address he used.

I did state in my first post:
It may help to preemptively address the forgery issue if the ISP were to insure that the From address were valid before signing the message. But this is an issue between the ISP and the user.

I'm not suggesting that ISPs should be required to filter addresses. Just that for some ISPs it may be beneficial.

Because a DKIM signatures can provide indelible proof that abuse originated at a specific ISP, they are going to put added pressure on ISPs to control the abuse. Even after the ISP boots the abuser the evidence of the abuse will still exist.

Handling abuse after the fact will be fine as long as the cost to establish an account at your ISP is greater than the perceived benefit of using the account for abuse until it gets shut down. On the other side, what if your ISP gets hit with a flood of abuse reports claiming that your users are using forged addresses.

-- Dan Oetting

Asrg mailing list