I'm certainly not suggesting a full 5322 body cavity search, but I think
reasonable checks would include checking for duplicates of headers that
MUAs are likely to show, such as Subject, To, From, Sender, and Cc.
I'm concerned that if we name that specific check, that's all people
will do and then think they're safe. And later some other "attack"
will come to light, and because we didn't just say the message has to
be compliant overall, we've now left a hole behind. We'll never be
finished.
I understand your concern, but it strikes me as being at the same
level as the various arcane attacks on relaxed canonicalization, e.g.,
adding a lot of white space to make ASCII art. There's a difference
between "do this and you're safe" and "if you don't do this, you're
not safe." Based on an extensive two-minute survey of MUAs, I see
that if there are two subject or From lines, T'bird shows the first,
Alpine and Evolution show the second, so header stuffing is not a
purely hypothetical problem.
DKIM simply highlights an issue that's been there for a very long time now.
No. No, no, no, no, no. Malformed messages only become an issue when
someone aserts that they're not malformed. In the absence of DKIM
signatures, the reasonable thing to do with a malformed message is to
render it. In the presence of a DKIM signature, the reasonable thing
is something else. That's why this is a DKIM issue.
R's,
John
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html