On 9/19/10 7:46 PM, Michael Deutschmann wrote:
On Sun, 19 Sep 2010, Douglas Otis wrote:
One should not authorize any service that redistributes messages without
first verifying recipient subscriptions. [...]
Spammers would "subscribe" their victims to a mailing-list, and then
submit their messages and have it redistributed by the mailing-list.
But if the recipient site happens to have the information it would need
anyway to publish TPA on it's own, they can filter out such attempts
easily. While they would be agnostic as to whether the putative sender
really subscribed to the list, they would know that the *recipient* isn't
subscribed and thus the message is bogus.
It seems this is making two assumptions that are likely incorrect:
1) receiving domains know which mailing-lists their users have subscribed.
2) receiving domains reliably recognize mailing-list messages.
A sender benefits directly when accurate third-party information is
available to receivers that help in preventing their Author-Domain being
spoofed.
There is simply nothing that would suggest receivers are able to divine
which third-party sources might have been legitimately used, and which
can be trusted with respect to Author-Domain spoofing.
And they can do such filtering even if the putative sender publishes no
ADSP at all. However, if ADSP is absent or "dkim=unknown", this
protection isn't worth much, since forgeries that make no pretension to be
list traffic must be presumed innocent.
Agreed. This also needs to include non-participating list-traffic as
well. There will not be a flag day anytime soon where all mailing-lists
will always act in accordance with some new convention.
And remember, many big sites will never compile the information needed to
display a complete TPA policy. Without accomodation (ie: except-mlist),
"dkim=unknown" is all they can safely publish.
Disagree. While there are many domains offering third-party email
services, this still represents a finite dataset. In contrast, the
domains used by bad actors represent an infinite dataset. In addition,
the TPA-Label scheme allows signatures of "big sites" that lack ADSP
assertions to protect a different Author-Domain. This protection
requires control of the email-address be confirmed by the submitter.
The TPA-Label scheme can represent concerted community efforts,
organizations that specialize in providing third-party information, or
information captured from user notification given to their submission
administration.
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html