On 11/09/2005 11:15, Douglas Otis wrote:
A verified signer for the message could improve the results of filtering
applications like Spamassassin. As this is your primary mechanism,
improving these applications would benefit you significantly. A general
requirement that From matches the signer will not be reduce the amount
of spam, as spammers adapt.
You keep saying that. I don't believe you.
A verified identity is useful for whitelisting. I manage that well enough
already, so it's not a problem I need help solving.
No matter what you do with hueristics, you are only modulating an approach
that will only ever be so good. What we need is more deterministic
solutions and less dependence on heuristics.
What would you use when all spammers sign their email where their From
matches the signer?
I may well have to set up a sub-domain for list traffic. It would be a
minor inconvenience. As you can see by the From address I use on this
list, I already set up dedicated From addresses for mailing lists. I
already deliver these into a separate mail box. Adding a sub-domain for
it would be a one time 10 minute job. It's not something I'm particularly
concerned about.
Additionally, if there isn't a general solution to the DKIM/Mailing List
incompatability, then I expect that receivers that want to receive mail
from mailing lists will white list lists that they subscribe to and no
reject messages that are outside the domain's SSP from those lists. Yes,
it's more administrative burden, but it's a one time burden per list that
can be reasonably well automated.
What is the desired goal that requires this sizable effort for managing
these white-lists and extra email-addresses?
Ensuring the signer is able to control abuse of the signature does not
detract from the benefits that you would enjoy, but it does allow the
use of a name-based reputation. The self-revocation mechanism that has
been suggested would also benefit those that do not use a reputation
service. These self revocations would be driven by reputation feedback.
This would be a way to share the benefits of reputation. : )
It sounds like you are saying that I'll be able to self-revoke based on
results from a reputation service that I don't use. I don't think this is
any more sensible than the rest of what you are proposing.
Abuse@ emails or even phone calls provide you feedback. If this feedback
is about message replay abuse, then being able to curtail and even prevent
replay abuse ensures this does not become a common exploit. Self
revocation shares this valuable feedback.
Getting SSP right would be of much greater value to me that going off on
the tangent that you propose.
You are advocating changing email practices. Allowing current practices
is not a tangent. Perhaps the MUA address book could also capture the
signing-domains to detect possible spoofs without forcing a general
association of the From/signer. It seems From/signer restrictions only
make sense for a small number of domains.
-Doug
_______________________________________________
ietf-dkim mailing list
http://dkim.org