On Mon, Nov 17, 2008 at 08:55:40AM -0800, David Wall wrote:
Since DKIM is intended to identify the sender, to ensure sent email is
legit and hasn't been forged, then it would reduce spam if all senders
did this because reputation matters. For one thing, sending spam is
illegal in many areas, so having proof a spam is yours would not be good
from a legal defense perspective. Second, blacklisting with provably
bad senders would be be more useful than some of the "random proof"
blacklisting that goes on today.
<shrug> I don't see how. We already have any number of well-known
senders out there who are equally well-known for sending spam over
long periods of time. Yet many of them aren't blacklisted, or in
some cases, they are, but enough people have either not used the
blacklist or have used local whitelisting that the blacklist entry
is ineffective.
Yes, if you are infected by a spambot, you will send signed spam. But
if I can prove your system is sending spam, it may be easier and quicker
to get resolution to clean that system.
I'd like to buy into that, but I don't. I don't think *any* mechanism
is going to motivate the former owners of a few hundred million zombies
to reclaim them and keep them that way. (Not that I object -- I'm all
for it. But it hasn't happened yet, despite the presence of compelling
evidence, and I don't think piling the evidence higher will change that.)
Of course, like all such solutions, the real key is to get receiving
systems to start demanding such security be in place to accept email.
Agreed. That's definitely the key; but the history of receiving systems
to date is that their keepers have displayed considerable reluctance to
cut off all but the most egregious offenders. Until that attitude is
changed, it won't matter what technology we invent, because all it will
do is tell us again what we already know.
(This reluctance extends to more than mail by the way: look at what
it took to get Atrivo/Intercage disconnected -- and just as importantly,
look at how long it took: many years.)
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg