On Sun, 19 Sep 2010, Douglas Otis wrote:
One should not authorize any service that redistributes messages without
first verifying recipient subscriptions. [...]
Spammers would "subscribe" their victims to a mailing-list, and then
submit their messages and have it redistributed by the mailing-list.
But if the recipient site happens to have the information it would need
anyway to publish TPA on it's own, they can filter out such attempts
easily. While they would be agnostic as to whether the putative sender
really subscribed to the list, they would know that the *recipient* isn't
subscribed and thus the message is bogus.
And they can do such filtering even if the putative sender publishes no
ADSP at all. However, if ADSP is absent or "dkim=unknown", this
protection isn't worth much, since forgeries that make no pretension to be
list traffic must be presumed innocent.
And remember, many big sites will never compile the information needed to
display a complete TPA policy. Without accomodation (ie: except-mlist),
"dkim=unknown" is all they can safely publish.
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html