ietf-dkim
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ietf-dkim] Clarifying DKIM (etc.) expectations for mailing lists in the face of digests

2010-08-04 17:28:58
from [Douglas Otis] [Permanent Link] 
On 8/4/10 2:01 PM, John Levine wrote:

There's a scenario where a spammer/phisher sets up a mailing list,
adds a bunch of addresses to the list and then sends a message with a
paypal.com From: address through the list. The DKIM signature will
obviously be invalid, but a MTA/spam filter won't be able to decide
whether this is because the message didn't really come from Paypal,
or because it did but the mailing list broke it.
     

I don't see how this poses any new problems.

If you believe in ADSP or manual drop lists, you drop the message
because it's from paypal.com and it's unsigned.  I think we can expect
that we won't see any real paypal.com mail coming through lists.
   

Clearly, paypal.com did not initially internalize the significance of 
ADSP dkim=discardable.  Perhaps now they have.  I seriously doubt they 
were alone in that regard.  It is not inconceivable that A-R headers 
were seen as a remedy that might allow such use.   There are many 
similar companies where employees exchange messages using the 
recognizable domain of their organization.  ADSP dkim=discardable is not 
a guarantee of messages never reaching an informal mailing list, and the 
appendix in RFC5617 only alluded to problems caused when the Author 
Domain signature is not valid.

Otherwise, it's just spam.  Does anyone treat List-ID: or other list
headers as a not-spam indicator unless it's from a list that you have
reason to think has local subscribers?  I certainly don't.
   

Most people are unable to deal with the typical email volumes generated 
by informal mailing lists, without reliance upon message sorting.  In 
such a case, it seems unlikely a recipient would consider sorted mail as 
representing some type of individual transaction.  A message considered 
to have been emitted from an informal mailing-list is unlikely effective 
as a phishing lure, where most lists will also unsubscribe members who 
make unrelated solicitations.

While phishing remains a serious matter, disruptions created by ADSP 
should be resolved by modifying its assertions in a manner still 
effective against phishing.  A community compiled list of informal 
third-party services could greatly facilitate these efforts.

-Doug


_______________________________________________
NOTE WELL: This list operates according to 
http://mipassoc.org/dkim/ietf-list-rules.html
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [ietf-dkim] Clarifying DKIM (etc.) expectations for mailing lists in the face of digests, Steve Atkins
Next by Date:  Re: [ietf-dkim] Mailing list reality check, Mark Delany
Previous by Thread:  Re: [ietf-dkim] Clarifying DKIM (etc.) expectations for mailing lists in the face of digests, John Levine
Next by Thread:  Re: [ietf-dkim] Clarifying DKIM (etc.) expectations for mailing lists in the face of digests, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]