Could you give a concrete example of a problem with some actual existing
mailing lists that aren't tractable now but that forwarded signatures
would solve?
The spoofed message claiming to come from Harry Katz sent to ietf-mxcomp
on April 27:
http://www.imc.org/ietf-mxcomp/mail-archive/msg01146.html
OK, that's one message out of more than 5000 posted to the list this year.
I've seen more spam than that from 419'ers signing up for lists. This
does not strike me as a problem so urgent that it's worth making a major
design criteron.
This scheme won't work on the yahoo groups example I posted yesterday.
nor would it work on mail passing through my stock majordomo2 server.
OK. It does work for plain text mail passing through yahoogroups.
I asked some friends at Yahoo what fraction of the mail passing through
yahoogroups is plain text vs. HTML. They need to dig up the numbers, but
their approximate answer is that it's just about all HTML. Much though
we may hate gooped up HTML mail, any scheme designed primarily for plain
text mail is obsolete.
How is this any different from a bunch of signed spam coming from any
other address? ...
The difference is that (and perhaps this is a different topic entirely)
the signature on a mailing list or something trying to pose as one is
likely to be invisible to the recipient. So unless you can reliably
whitelist real mailing lists (and I contend you can't, without an
external accreditation/reputation service, if you're verifying at the
domain level), you're giving attackers a way to spoof.
Unless there is some aspect of IIM that I've totally missed, all
signatures are invisible in the MUA unless you do something either in the
MUA or in a preprocessor to make them visible. I don't know about you, but
I whitelist mailing lists with perfect accuracy. I whitelist the ones to
which I subscribe, and I don't whitelist the ones to which I do not
subscribe. Mail from mailing lists, genuine or otherwise, to which I
don't subscribe isn't any less likely to be spam than mail from any other
address.
Can you explain in more detail how mail from a list to which you don't
subscribe would permit spoofing? The signature would say "this is
definitely from foolist", and as far as I can see, the response is "so
what, we have no interest in foolist."
Yes; as I note in the next line, I tend to send plaintext mail to lists
and that does work with yahoogroups.
This is the time warp problem. You and I do plain text mail, but the rest
of the net doesn't. If you're using a Microsoft MUA, it's nearly
impossible to send plain text.
But this whole discussion has been about the body length count, right?
No, not at all. If you review my prior messages, I don't think I
mentioned body length counts at all. This dicussion has been about the
futility of assuming that list mail is processed in simple ways that we
can canonicalize around. Bodies change, headers change, all sorts of
stuff changes. The fact that you see list software that doesn't change
messages means that you subscribe to a lot of techoid lists run by HTML
haters. So do I, but that doesn't make us typical.
How about the examples of header munging that occur at transit MTAs,
such as the addition of [SPAM] to the subject line? I even have a mail
forwarder address that does that for me. Should we be making allowances
for that, such as by copying headers?
Spam filters munge mail in as many ways as list managers do. For example,
spamassassin can do anything from add an X- header to tag the subject line
to encapsulate the entire message as a MIME attachment, and that's just
one flavor of spam filter. Signatures are as likely to survive spam
filters as to survive mailing lists, that is, not very.
Have you looked at the debates that the S/MIME group had when they were
designing their signature scheme? They looked at all the things that mail
forwarders do and gave up on message signing, which is why the only thing
that you're likely to see an S/MIME signature on is a base64 encoded body
part. I don't see any reason to think that the problem's gotten any
easier, or that we're smarter than they were, so I'm more inclined to
figure out how we can make signatures useful on the paths that don't smash
messages than to attempt to reverse engineer the paths that do smash.
Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.