On Jan 23, 2006, at 7:35 AM, Stephen Farrell wrote:
Please correct where I've missed things, or gotten stuff wrong.
Where a particular message seems to contain a bunch of potentially
The mailing-list summary missed what should be serious concerns
related to replay abuse, whether it is a list-server, free email-
address provider, newsletter, or large domain.
Even aggressive rate restrictions, outbound filtering, and banishing
offending email-addresses will not offer an effective solution for an
abusive replay problem. When a common key is used, key revocation is
not practical. Per-user keys or per-user policies will impact the
related overhead, as both approaches will tend to overwhelm
caching. A bad actor is capable of sending replays from tens of
thousands of sources simultaneously. The use of a user policy as a
means of control also unfairly impacts use of the email-address in
cases where the recipient is the bad actor. Even rapid responses
from abuse reporting to pushing out altered key or policy with
extremely short TTLs will still likely be too slow to be an effective
deterrent. Short TTLs with per-user records will likely increasing
the related overhead further still.
Eliot suggested list-servers (free email-address providers,
newsletters, e-invites, photo-kiosks, etc.) be picky about who they
allow to use their services, but did not provide a description of
that process. The current practice exercised by list-servers is the
use of double opt-in and banning those abusing their privileges.
Neither of these approaches protects the reputation of the list-
server signature, or the reputation of the signing domains that pass
through the list-server without the signature being overlaid with
verification results. A bad actor can issue a series of links, much
as seen in the prior message, which look okay until being used in an
abusive replay.
When there is replay abuse, how should the sender react?
What obligations do list-servers have with respect to their
participants in regards to a replay abuse problem that may affect the
reputation the signing domains sent through the list?
-Doug
P.S. Could you enclose your links in <> rather than [], thanks.
_______________________________________________
ietf-dkim mailing list
http://dkim.org