Oh wow! This is nuts! With all the issues with l=, I saw it mostly
with spammers, or some eMarketing source. But I would never expected
a major US bank to use the Body Length Tag especially when they don't
really need to.
Summary Problem:
Domains sending DKIM signed DSN with the Body Length Tag (l=) set.
This happen with a major US bank when a bad guy sent a spoofed message
using an unknown user bank email address to our list server and the
MLM issued a non-membership notification. When the bank got the
notification to the unknown user which it first accepted at the SMTP
level, it then created a non-delivery DKIM signed DSN with the "l-"
tag set.
So whats gan we learn from this?
1) It appears to me the signers or its software is mis-interpreted the
specification and are blindly setting the "l=" tag for all its mail,
including needlessly with a DSN.
2) I looked in RFC4671bis and see no guidance regarding signing
bounce mail, but it MUST NOT be done with "l=" tag set.
3) MLM should be using a NULL return path for its notifications.
Not all
MLM do this when it comes to list notifications. A List
non-membership
notification should be viewed as a SMTP 550 no local user account
rejection.
Comments?
--
Hector Santos, CTO
http://www.santronics.com
http://santronics.blogspot.com
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html