On Jun 3, 2006, at 6:50 PM, John Levine wrote:
What a complete waste of effort. If I were an ISP using DKIM, I
would
be sure there was a header in my outgoing mail with enough info to
identify the customer (opaque token is fine), and include it in the
signature. Then if a recipient objects, I know who the guilty party
is regardless of what address he used.
I did state in my first post:
It may help to preemptively address the forgery issue if the ISP
were to insure that the From address were valid
Who said anything about From addresses? Like I said, the signing ISP
puts a token in one of the signed headers so it knows which customer
it was, regardless of what's on the From: line. As I think we've gone
over more than once, it is extremely unlikely that an ISP would know
what addresses its customers were or were not allowed to use, and
arbitrary limits like you have to use the address that came with the
account don't work.
As I have been saying all along, If your ISP is operating in a way
that it cost the spammers more to establish a new account than they
perceive they will gain by abusing their privileges till they get
booted you should be fine by handling abuse after the fact. But when
the criminals spammers invade your ISP using stolen credit cards and
figure their costs at zero, will you be able to stop them fast enough.
ISPs are each going to approach this problem differently. Some will
put in costly measures to verify the real user identities before an
account is opened. Others will choose to prevent the abuse by
filtering what gets out of their servers. I'm not going to argue that
one way is better than another, the goal is to stop the abuse or at
least reduce it to a manageable level.
I personally believe that legitimate users that are not part of the
spam problem should be unencumbered by the anti-spam measures. My
favored approach is to detect the abuse as quickly as possible,
notify the ISP or other controlling party as directly as possible and
have the abuse stopped before the rest of the net is significantly
inconvenienced. Since filtering from addresses of legitimate users is
against my personal belief I'm going to drop such discussions now.
-- Dan Oetting
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg