On 8/4/10 2:01 PM, John Levine wrote:
There's a scenario where a spammer/phisher sets up a mailing list,
adds a bunch of addresses to the list and then sends a message with a
paypal.com From: address through the list. The DKIM signature will
obviously be invalid, but a MTA/spam filter won't be able to decide
whether this is because the message didn't really come from Paypal,
or because it did but the mailing list broke it.
I don't see how this poses any new problems.
If you believe in ADSP or manual drop lists, you drop the message
because it's from paypal.com and it's unsigned. I think we can expect
that we won't see any real paypal.com mail coming through lists.
Clearly, paypal.com did not initially internalize the significance of
ADSP dkim=discardable. Perhaps now they have. I seriously doubt they
were alone in that regard. It is not inconceivable that A-R headers
were seen as a remedy that might allow such use. There are many
similar companies where employees exchange messages using the
recognizable domain of their organization. ADSP dkim=discardable is not
a guarantee of messages never reaching an informal mailing list, and the
appendix in RFC5617 only alluded to problems caused when the Author
Domain signature is not valid.
Otherwise, it's just spam. Does anyone treat List-ID: or other list
headers as a not-spam indicator unless it's from a list that you have
reason to think has local subscribers? I certainly don't.
Most people are unable to deal with the typical email volumes generated
by informal mailing lists, without reliance upon message sorting. In
such a case, it seems unlikely a recipient would consider sorted mail as
representing some type of individual transaction. A message considered
to have been emitted from an informal mailing-list is unlikely effective
as a phishing lure, where most lists will also unsubscribe members who
make unrelated solicitations.
While phishing remains a serious matter, disruptions created by ADSP
should be resolved by modifying its assertions in a manner still
effective against phishing. A community compiled list of informal
third-party services could greatly facilitate these efforts.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html