On Apr 23, 2010, at 9:41 AM, John Levine wrote:
There's no new semantics, deep or othterwise. Yahoo is treating the
signature as an assertion of responsibility -- it has my signature,
the recipient complained about it, they have reason to think I'm not
evil, so they sent me the complaint. All that is fine, but the
problem is that for list mail, I'm not the one who can do anything
about it.
In this particular case, for you, that's true. It's not true in general.
Mike asked how one could tell whether this was a complaint about all
mail from the list, or just mail from me. I have my suspicions, but
I have no way to tell. The only party who can is the human or
mechanical list manager who can look the pattern of complaints and
figure out the person is complaining about all the mail from the list,
in which case they should unsub him, or he's just comnplaining about
mail from me, in which case they might want to kick me off the list
if they agree with the complaints.
If a list adds its own signature and leaves the contributor's, now
it's up to heuristics by the recipient to guess what to do.
The recipient can use heuristics, if that works for them, but
it's not the only option.
For list
mail, the correct guess is to treat the list as responsible.
Often. Maybe even usually. But not in all cases.
As one theoretical example, if I compromise a webmail
provider and use accounts there to sign up for yahoo groups
mailing lists, then send spam to them, then the webmail
provider is going to want to know about it.
Or if I get a b-tard infestation trolling mailing lists I'll want
to know about it.
Wouldn't
it be a better idea to avoid the guessing?
Yes, by notifying all the responsible parties who have set up a
DKIM based FBL and who have valid DKIM signatures on the
message.
Part of the overhead of handling an FBL is to decide which
reports to pay attention and which aren't. In your case you'd
(probably) want to ignore any reports about mail sent from
your legitimate users via mailing lists, via some heuristic that
works for you.
But you're the only one who can make that decision, so you
can't push that decision off on to Yahoo or mailing list providers
in general. I don't want them to make the decision to not
send reports to responsible parties who do want the reports
and can handle them.
It's not too hard for anyone handling inbound FBL streams
to categorize them mechanically, and automate their policies
to ignore reports they believe are irrelevant, so the overhead
for this sort of FBL report is low. If the mailing list manager strips
signatures, they lose a source of data and don't get to make
that decision.
(As for reputation - a big part of reputation is the content that
is sent. If a particular list subscriber consistently sends mail
that other list subscribers complain about then it's not
unreasonable that that may damage the reputation of that
particular list subscriber as well as that of the list.)
Cheers,
Steve
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html