On 5 Apr 2011, John Levine wrote:
(> > = me)
We'd like to be able to deploy DKIM, coupled with some ADSP-like protocol
(The real ADSP is hopelessly inadequate) in order to block all forgeries at
the MX. *All* forgeries, not just phish.
Well, as we've established long past the point of boredom, you can't.
And it's not just mailing lists. Don't forget all the mail that bots
can send with real stolen credentials,
Small semantics issue here. You are using a vertical "all" (eg: "With this
ADSP-alike, it will be beyond impossible for a @paypal.com mail to get
through that is not sanctioned by PayPal's legitimate officers."). But I
meant a horizontal "all" (eg: "With this other ADSP-alike, @paypal.com
forgeries are reasonably expected not to get through, and neither are
@gmail.com forgeries or @iecc.com forgeries.").
By stating "all", I was distancing myself from those here who consider it
Not A Problem that Gmail is never going to deploy "dkim=discardable", since
Gmail is "not a phishing target".
and mail to a friend, blah
blah. (This is not an invitation to reargue those points.)
There is a difference in kind between mailing lists and all other "friendly
forgery" cases such as F2F. Providers of F2F will likely give up and use
original From: addresses before end-users give up and (force their BOFH to)
undeploy ADSP. But the mailing list problem for ADSP is even bigger than
SPF's forwarding bugaboo -- it utterly scares off meaningful senderside
deployment.
---- Michael Deutschmann <michael(_at_)talamasca(_dot_)ocis(_dot_)net>
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html