ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Re: 1: 1 and assertions about third parties

2008-01-18 09:43:45
from [Michael Thomas] [Permanent Link] 
John L wrote:
My expectation is that a large majority of domains that would publish strict SSP policies would be small mail systems with no more forgery problems than anyone else, but an exaggerated idea of their own importance. 

I'm sorry, but is it just your peevishness about their perceived
self-importance? What difference does it make if they aren't as
important as they think they are? How is that negatively affecting
you?
My understanding is that the point of publishing SSP is to help mail recipients filter their mail better, where the only useful meaning of better is that it makes the recipient users happier. (I see occasional claims that the purpose of SSP is to permit senders to make statements regardless of whether they're useful to anyone else. If that's the case, we need to document it better but you can ignore the rest of this message.)
Senders' opinions about third parties aren't useful in making filtering decisions. In the example above, what happens when a user of such a domain sends mail through a mailing list and the signatures break? If you believe the strict SSP, you throw away perfectly good mail, making users unhappy. Well, OK, perhaps you adjust your rules to whitelist mail from known mailing lists. But now what about a domain like Paypal that you know (not from SSP) is both heavily forged and doesn't send mail through lists? My filter rules dump anything not sent directly from Paypal, list or no list. But how can SSP help us distinguish the Paypals from the self-importants? It can't, and there are clearly far more inept mail system managers than Paypal-style mega-phish targets. 

There's an infinite variation of things that inept system managers
can do. If they misuse SSP why is that so very different inept sysadmins
who run open relays? Both are dumb and will get you in trouble. If we're
limited to the lowest common denominator, then there's _nothing_ we can
do because that's really low, and it really doesn't have anything to do
with their motivation (cf self-importance).
It's fine to publish statements about what you actually do. "I sign everything" is fine, a sender controls that. Perhaps "I don't send mail through lists" would be useful, again, a sender can control that. But "I'm a phish target" or "broken signatures are forgeries" or anything else that purports to describe what other people do isn't useful, because the guy making the statement doesn't know any more about it than anyone else does. For the vast majority of domains, I suspect that AOL and Hotmail and other large inbound mail systems have much better data on how much 

Well, SSP doesn't have "I'm a phish target" but does have the other two
more or less, so I guess there's no argument here.

                Mike
_______________________________________________
NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Re: ISSUE 1525 -- Restriction to posting by firstAuthor breaks email semantics, Michael Thomas
Next by Date:  Re: [ietf-dkim] ISSUE 1525 -- Clarification about posting by first Author, John Levine
Previous by Thread:  Re: [ietf-dkim] Re: OT: 300,000 bounces, John Levine
Next by Thread:  Re: [ietf-dkim] Re: 1: 1 and assertions about third parties, John L
Indexes:  [Date] [Thread] [Top] [All Lists]