On Mon, 2004-11-01 at 17:18 -0800, Jim Fenton wrote:
Because then I could take the message signed by the mailing list and
replay it to a whole lot of people that aren't subscribed to the
mailing list, as well.
True. I can see what I could do with the message. I just don't see why I
should be excited :)
In the worst case, the mailing list isn't checking for mailsig
signatures, and will accept mail 'From:' any address you offer. Assuming
you can get past any other spam filtering, you then get your message
signed by the list as a Sender: address.
Presumably the idea is that such a Sender-signed mail will be more
likely to get accepted by your spamees than a mail with some other
Sender: address.
But surely that's only true if the Sender: address of the list has a
_good_ reputation? And in this case -- a list which doesn't check
mailsig signatures on the way in and has other anti-spam measures which
are weak enough to let your spam through -- the list isn't going to
_have_ such a good reputation?
--
dwmw2