On 24 Feb 2008 01:44:49 -0000, John Levine <johnl(_at_)iecc(_dot_)com> wrote:
The discarding of email is one of the key causes of some significant
> loss of trust in email as a reliable means of communication.
Since I invented the term "discardable" perhaps I should explain why I
mean discardable when I say discardable.
There is a common meme that discarding mail is always bad. But
generating and delivering bogus mail is just as bad, because nobody
can find the real mail in a mountain of spam. Every day I get
feedback loop "spam" reports for what is clearly real mail from a real
person sent to a real recipient. But the recipient's eyes glazed over
at all the spam in the inbox, and they discard the real mail along
with the spam. Keep that in mind.
I'm not sure how many people here other than Mike Hammer and me have
direct experience running a heavily phished domain, so here's a report
from the trenches. I run abuse.net, a tiny little domain that manages
a reporting address database. On a busy day there might be 100
outbound messages with abuse.net return addresses, but due to some
eastern European spammers with a strange sense of humor, every day I
get 400,000 bounces, out of office, and other blowback. That's the
reality of a phish target -- the fake mail vastly exceeds the real
mail, by orders of magnitude. I don't know the absolute numbers for
Paypal and the various banks, but I'm confident that they are in the
same situation at even larger scale, way more fake than real mail.
That's why when I say discardable, I really mean it. When I upgrade
my MTA to sign all of abuse.net's mail, I will really want you to
throw away unsigned mail. Not reject, not bounce, not send a DSN,
just THROW IT AWAY. Even if you carefully do your filtering and
reject at SMTP time, enough of the MTAs that see your reject will turn
it into a bounce that I'll still be inundated with junk bounces for
mail I didn't send. (Hmmn, large numbers of similar messages I didn't
ask for and don't want. Don't we have a name for that?)
The alternatives aren't really any better, either. Bounce it. Bounce
it where? To the (99% chance of forged) return path?
From what I am led to believe, the vast majority of DKIM evaluation is
taking place after receipt, meaning the opportunity to reject during
SMTP is not available.
Regards,
Al Iverson
--
Al Iverson on Spam and Deliverability, see http://www.spamresource.com
News, stats, info, and commentary on blacklists: http://www.dnsbl.com
My personal website: http://www.aliverson.com -- Chicago, IL, USA
Remove "lists" from my email address to reach me faster and directly.
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html