ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] shared drop lists

2010-06-02 23:15:43
from [John Levine] [Permanent Link] 
My problem with this position is that it seems to argue for
proprietary one-off solutions vs. Internet standards for email
authentication policy assertions.


That's certainly a reasonable concern.  I expect that if it turns out
there are more discardable domains than Paypal, people would use
shared drop lists, just like they use shared blacklists and whitelists
of IP addresses and domains now.

Last year Paul Hoffman, Arvel Hathcock and I published RFC 5518 on
Vouch by Reference, which we intended as a way to publish whitelists
of responsible domains, originally DKIM signing domains but also
usable for domains that pass SPF -all.  It would only take a small
tweak to VbR to use it to publish shared drop lists.

VbR is deliberately really simple; it's a single DNS lookup, prepend the
name you're looking up to _vouch and the VbR service's name.  The result
is a txt record saying what kind of mail it's vouching for, with the
list currently being all, list, or transaction.

We could add "discardable" as a VbR field, and do lookups like this,
for a list called drop.services.net.

$ dig info.paypal.ca._vouch.drop.services.net txt

; <<>> DiG 9.6.1-P1 <<>> info.paypal.ca._vouch.drop.services.net txt

;; QUESTION SECTION:
;info.paypal.ca._vouch.drop.services.net. IN TXT

;; ANSWER SECTION:
info.paypal.ca._vouch.drop.services.net. 7200 IN TXT "transaction discardable"

(This really works, by the way.  Try it!)

There'd be some other minor tweaks to VbR to bypass an optimization in
VbR that puts hints in the mail about where to look, obviously not
useful if you're looking up mail that you suspect is a phish.

At this point my published drop list contains paypal domains, who
publish ADSP, and ebay and amazon who don't publish ADSP, but who send
transaction mail all of which is as far as I can tell signed.  Looking
at the rest of the signatures in my archive, I don't see anyone other
reasonable candidates yet.

R's,
John
_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] the danger of ADSP, was list vs contributor, Michael Thomas
Next by Date:  Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion, John Levine
Previous by Thread:  Re: [ietf-dkim] list vs contributor signatures, was Wrong Discussion, Brett McDowell
Next by Thread:  Re: [ietf-dkim] shared drop lists, Dave CROCKER
Indexes:  [Date] [Thread] [Top] [All Lists]