In <3B782392-236F-48B6-B170-FDE324ABBC9B(_at_)blighty(_dot_)com> Steve Atkins
<steve(_at_)blighty(_dot_)com> writes:
On Jul 27, 2006, at 12:08 PM, wayne wrote:
In <p06230903c0eeb486a116(_at_)[10(_dot_)20(_dot_)30(_dot_)182]> Paul Hoffman
<phoffman(_at_)proper(_dot_)com> writes:
"I sign some mail" doesn't tell the recipient anything useful.
What am I missing?
It says that you should look at email without a signature as being
"acceptable", unlike a "I sign all mail" which without a signature is
quite questionable.
How does that differ from a sender that doesn't have the
"I sign some mail" flag set?
heh. I knew as soon as I posted my too-short email that I would get a
reply like this. I was in the process of composing a reply to myself
when yours came in.
Yes, signatures will be broken in transit and it will be a long time
before people can very safely reject email based on not having a valid
signature, even if you have an "I sign everything" policy. This is
why I said that it is only "questionable", not "rejectable".
However, an "I sign everything" policy still gives a lot of important
clues.
First, a lot of spam and email worms will not have any signature, just
because it takes more work to do. Email that gets broken in transit
will still have a valid selector and such, and that selector is going
to vary quite a bit between domains. It isn't trivial to just throw a
signature into your spam/worm that appears to have been broken in
transit.
Secondly, the there is going to be a fair amount of consistency about
which MTAs will send you email with broken signatures and which
won't. You can develop a list of mailing lists and such that are
known to break signatures, and you can combine that with existing
lists of known spam sources. Combining the two, you can find
determine which email is likely legitimate and which is likely spam
and put that into your spam scoring system.
As time goes on and more people clean up their email and stop breaking
things in transit, this technique is going to become easier and more
reliable.
Lastly, there are some domains that can implement an "I sign
everything" policy much easier than others. A bank might well be able
to say that *no one* should send email through any other sources other
than their approved MTAs. You can't use your ISP if you are working
at home, you can't use webmail. It is a firable offense. Other
domains simply can not force such policies on their users any time in
the foreseeable future; ISPs and webmail providers spring to mind.
I think there are also going to be some domains that only sign, and
thus risk their reputation on, some email, but not all of it. You
can, say, sign all transactional email, but not sign stuff from the
marketing department. Or, an ISP could only sign email that gets a
good grade on their outgoing spam filter system.
So, I do think that some value can be extracted from the distinction
between an "I sign everything" policy with an "I sign some email"
policy.
-wayne
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html