Douglas Otis wrote:
On 9/2/10 4:26 PM, J.D. Falk wrote:
Some of us have a pretty good idea. The people who design
reputation systems don't do so in a vacuum; they're constantly
reacting to spammers' latest tricks. If massive unauthorized
replaying of unmodified DKIM-signed messages ever becomes a real
issue, they'll adjust accordingly.
Were DKIM domains to become a primary basis for message acceptance, then
replayed messages will become a real issue. The question is "Then what
strategy is needed next without expecting the world to change how
applications handle email." One answer might be TPA-Labels applied at
the transport level during message exchange. :^)
This might be related.
Let me use my bellsouth, now AT&T service provider cell phone accounts
as an example.
Over the years, they tried to move customers over to electronic
billing or statements. (Note: My first company, OptiSoft, developed
and sold turnkey ODSAR (Optical Document Scanning and Retrieval)
systems, so I know a little about the logistics, cost savings, etc for
the "paperless" market place.).
Anyway, I continue to refuse to sign up and be associated with any
online or email based billing/statement for security reasons. But
eventually, I guess because people were not signing up on their own
(OPT IN), they began to send the billing statement via email anyway
with marketing URL hooks to "turn on it on".
I have continued to ignore it but I occasionally check the headers to
see what they are using. I was expecting them to be more proactive
with DKIM (or Domainkeys) but at first I didn't see it. I asked Tony
Hansen about it. He indicated they will support POLICY once adopted
but did not say much beyond that. But I recalled a few times when it
did become to have DKEY or DKIM, don't recall which.
Now I just got my new statement and there is no DKIM/DKEY but it has
one of those X-YMailISG header lines.
I know AT&T begun to outsource their U-VERSE and perhaps entire email
users to YAHOO.
But it always me wonder why did not use at the very least a 1st party
signature. That alone would of gave me more "trust" in these
electronic statements.
Now there is no trust whatsoever as anyone can spoof YAHOO and that
X-YMailSG header.
It seems to me they are relying on users using the online interface
where this would be more trust worthy and view Offline copies (via
POP3 pickups) to be less trust worthy in their eyes, I guess.
It seems to be what they did was promote replay spoofs. So why not use
a 1st party signature?
If AT&T is my cell provider, and they are sending billing statements
with URL hooks to join 'Something' and other stuff, they should be
more concern about what 3rd party clearing house (YAHOO does a long
time PR problem as a source for spam) they use and understand not all
users are online.
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html