It's useful to separate a subscriber (who receives mail from
a mailing list) from a poster (who is allowed to post to a
mailing list). On some mailing lists, they're the same;
on others, they're different. For example, the mailing list
policy (which differs from reality in some cases) for IETF
lists is that anyone can post to the list -- even non-
subscribers. For example, the mailing list policy for
'closed' lists is that only certain email addresses can
post to the list -- those certain addresses might be the
subscribers to the list or might be a list of special
addresses; a good example here are large broadcast mailing
lists like vendor's security alerts (thousands of subscribers,
but only the vendor can post to the list).
If a mailing list signs its outgoing messages, it's merely
signing that the message was sent by the mailing list. That's
authentication. By sending the message, the message is
presumed to have passed all of the mailing list's authorization
checks.
If a mailing list authenticates its outgoing messages, there
is no direct relationship to the message being spam (or non-spam)
from a legitimate or illegitimate poster. The techniques for making
that determination today include, but are certainly not limited to,
a combination of:
- only authorized posters can post (which might be *,
*(_at_)example(_dot_)com, all list subscribers, all list subscribers
except a certain blacklist, or
- all messages are content filtered (automatically or
by a human)
- unauthorized posters messages are content filtered
(automtically or by a human)
- vetting of subscribers (to prevent jekf19874(_at_)yahoo(_dot_)com from
subscribing just for the purpose of circumventing a list
policy that allows only subscribed users to post).
Once MASS is deployed, the mailing lists may, in *addition* to
the above techniques, also utilize:
- strong authentication, using MASS, to authenticate the
mail came from an authorized poster.
I believe that is the only additional check a mailing list
can perform with MASS. Mailing lists will have to continue to
perform the other, "legacy" checks they perform today, especially
considering that some posters aren't likely to be sending MASS-
signed mail for awhile.
Once a 'reputation' system is deployed, the mailing list may
additionally utilize:
- checking the reputation value for a new subscriber,
authorized poster, or unauthorized poster, in order
to decide to content analyze, reject, or accept the
new subscription or the post itself.
-d
-----Original Message-----
From: owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mailsig(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Dave
Crocker
Sent: Thursday, November 04, 2004 8:09 AM
To: Jim Fenton; David Woodhouse
Cc: John Levine; ietf-mailsig(_at_)imc(_dot_)org
Subject: Re: mailing list software, was What does the mailsig mechanism
mean?
On Wed, 03 Nov 2004 08:08:31 -0800, Jim Fenton wrote:
The lists will want to be careful about what they sign. Unless
the list limits posting privileges to list members (and perhaps
even if it does), putting a mailing list behind a mailsig-aware
MTA is likely to cause the list to sign unauthorized messages by
default.
yes!
more generally, we certainly need to have the Security Considerations
section put very strong emphasis on the limitations of the mechanism,
both in terms of what makes for a "meaningful" signature, and what a
signature does and does not mean.
d/
--
Dave Crocker
Brandenburg InternetWorking
+1.408.246.8253
dcrocker a t ...
www.brandenburg.com