Dan Oetting wrote:
On Jun 1, 2006, at 9:50 PM, John Levine wrote:
I said earlier that the ISP could quarantine outgoing mail until the
confirmation succeeded. Even better would be to reject the mail in
the smtp transaction from the user to the ISP with a comment that a
confirmation email has been sent to the From address.
What a complete waste of effort. If I were an ISP using DKIM, I would
be sure there was a header in my outgoing mail with enough info to
identify the customer (opaque token is fine), and include it in the
signature. Then if a recipient objects, I know who the guilty party
is regardless of what address he used.
I did state in my first post:
It may help to preemptively address the forgery issue if the ISP
were to insure that the From address were valid before signing the
message. But this is an issue between the ISP and the user.
I'm not suggesting that ISPs should be required to filter addresses.
Just that for some ISPs it may be beneficial.
Because a DKIM signatures can provide indelible proof that abuse
originated at a specific ISP, they are going to put added pressure on
ISPs to control the abuse. Even after the ISP boots the abuser the
evidence of the abuse will still exist.
Yeah, but... large providers suffer from the Usenet Death Syndrome --
that you
can threaten a provider, but the likelihood that you're ever going to
pull the trigger
on them is really low. Maybe it works to some degree on the social/shame
level, but
the technical level seems pretty remote. What _does_ seem more likely is
that we'll
be able to get a better handle on senders who are abusive but not drawn
from large
user populations, spammers being one form of that population. If we can
set up a
situation where they are faced with two choices: stay in the ever
increasingly toxic
sewer of unauthenticated messages, or authenticate their messages which
allows
reputation to accrue, then we'll all be in a much better position. I
guess the same goes
for third party signatures too.
Mike
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg