On Jun 19, 2009, at 4:29 AM, Charles Lindsey wrote:
On Wed, 17 Jun 2009 18:03:46 +0100, SM <sm(_at_)resistor(_dot_)net> wrote:
At 03:00 17-06-2009, Charles Lindsey wrote:
As a matter of interest, could you say why?
Because it's unlikely that Mailman was doing the DKIM
verification. I tested Mailman to see how it affected DKIM
signatures.
Ah! My use of the term "List Admin" was intended to include the
activities of all the servers etc through which the message passed
at that site.
I agree that the A-R was probably added before mailman saw the
message, but it was probably mailman that removed the original (now
broken) signature.
But either way, there is no suspicion that the A-R was added by the
spammer, or any other agent prior to the ML site, so no reason to
doubt the truth of what it attested (except for Conspiracy Theorists
who doubt everything - and the best way to placate Conspiracy
Theorists is to give them the evidence that proves their vivid
imaginations are wrong - in this case by signing the A-R header).
It dangerous to consider A-R headers of unknown origins as somehow
inherently safe. After all, it is also unknown what "authserv-id"
recipients will list usable for annotation. It would not be hard to
guess in many cases. An A-R header from an unknown environment should
never be assumed to mean there was ever a valid DKIM signature.
Allowing just any A-R header to be accepted will likely invite rather
simple strategies for duping victims.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html