Douglas Otis wrote:
On Dec 8, 2006, at 7:05 AM, <Bill(_dot_)Oxley(_at_)cox(_dot_)com> <Bill(_dot_)Oxley(_at_)cox(_dot_)com>
wrote:
Signing is not limited to the MTA, it can be done at the MUA. In
addition, protections afforded by DKIM requires the MUA to verify
signatures or obtain trustworthy signaling from the MDA.
I'm sorry. What section in the DKIM specification does it say it
"requires the MUA to verify signatures"?
> Blocking at the MTA can not offer adequate protection.
Why not?
> It would be wrong to expect blocking at the MTA via restrictive
> policy produces a significant effect on the level of abuse.
Bad Guy uses my domain.com at site XYZ. Site XYZ looks up my policy and
finds he wasn't suppose to use my DOMAIN.
Whas wrong with expecting this is not a highly probably event?
Blocking via policy definitely does _not_ offer
much in the way of protection, but will require a significant level of
support explaining why various messages are being rejected.
It will?
- A domain does not expect mail. Pretty good protection
- A domain requires mail to be sign. Pretty good protection
Those two along will cut down a very significant amount of the most
common exploitations without requiring any feedback whatsoever.
--
HLS
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html