On 11/10/2005 09:41, Douglas Otis wrote:
On 11/09/2005 11:15, Douglas Otis wrote:
A verified signer for the message could improve the results of filtering
applications like Spamassassin. As this is your primary mechanism,
improving these applications would benefit you significantly. A general
requirement that From matches the signer will not be reduce the amount
of spam, as spammers adapt.
You keep saying that. I don't believe you.
A verified identity is useful for whitelisting. I manage that well
enough already, so it's not a problem I need help solving.
No matter what you do with hueristics, you are only modulating an
approach that will only ever be so good. What we need is more
deterministic solutions and less dependence on heuristics.
What would you use when all spammers sign their email where their From
matches the signer?
First, I'm not saying a don't think heuristics will always be necessary. They
will.
Second, then they aren't sending e-mail from my domain anymore. That's a
victory.
Third, now I have a good name basis for blacklisting. That's a victory.
Fourth, yes, they can go register new domains, but adding DKIM to the mix
increases the complexity/cost of solving the problem for them. The more
expensive spam gets, the less of it there will be.
My original point was that if you take a unitary hueristic analysis and break
it into two parts (content and name) it doesn't necessarily give you a better
result. It may be marginally better. I think it's unlikely to be
substantially worse, but it's not at all clear to me that it's enough better
to be worth going through the hoops you are proposing.
I may well have to set up a sub-domain for list traffic. It would be a
minor inconvenience. As you can see by the From address I use on this
list, I already set up dedicated From addresses for mailing lists. I
already deliver these into a separate mail box. Adding a sub-domain for
it would be a one time 10 minute job. It's not something I'm
particularly concerned about.
Additionally, if there isn't a general solution to the DKIM/Mailing List
incompatability, then I expect that receivers that want to receive mail
from mailing lists will white list lists that they subscribe to and no
reject messages that are outside the domain's SSP from those lists. Yes,
it's more administrative burden, but it's a one time burden per list that
can be reasonably well automated.
What is the desired goal that requires this sizable effort for managing
these white-lists and extra email-addresses?
It's a work around if the working group doesn't come up with a satisfactory
solution to mailing lists breaking DKIM signatures. The desired goal would
to avoid going to the effort of attempting to validate signatures that aren't
going to validate.
Ensuring the signer is able to control abuse of the signature does not
detract from the benefits that you would enjoy, but it does allow the
use of a name-based reputation. The self-revocation mechanism that has
been suggested would also benefit those that do not use a reputation
service. These self revocations would be driven by reputation feedback.
This would be a way to share the benefits of reputation. : )
It sounds like you are saying that I'll be able to self-revoke based on
results from a reputation service that I don't use. I don't think this
is any more sensible than the rest of what you are proposing.
Abuse@ emails or even phone calls provide you feedback. If this feedback
is about message replay abuse, then being able to curtail and even prevent
replay abuse ensures this does not become a common exploit. Self
revocation shares this valuable feedback.
OK. So what you are saying is that replay protection has value independent of
reputation service? I can see the potential in that.
Getting SSP right would be of much greater value to me that going off on
the tangent that you propose.
You are advocating changing email practices. Allowing current practices
is not a tangent. Perhaps the MUA address book could also capture the
signing-domains to detect possible spoofs without forcing a general
association of the From/signer. It seems From/signer restrictions only
make sense for a small number of domains.
Sure I am. I think e-mail is broken enough today that things have to change
(can't make an omlette without breaking some eggs). The question is how.
I'd like to change e-mail so that fraudsters and spammers have less success.
By the time you get to the MUA, IMO, the battle is over. SSP is an MTA level
tool to solve an MTA level problem. I'd rather keep the users out of this
entirely if possible (I know it won't be possible, but it should be
minimized).
I'm not sure how many domains From/signer restrictions make sense for. I am
confident that the number is non-zero. Restrictive SSP should be allowed,
but not mandated.
Scott K
_______________________________________________
ietf-dkim mailing list
http://dkim.org