ietf-mailsig
[Top] [All Lists]

Re: more hand waving about mailing lists

2004-12-08 07:46:49

John R Levine writes:
The spoofed message claiming to come from Harry Katz sent to ietf-mxcomp
on April 27:
http://www.imc.org/ietf-mxcomp/mail-archive/msg01146.html

OK, that's one message out of more than 5000 posted to the list this year.
I've seen more spam than that from 419'ers signing up for lists.  This
does not strike me as a problem so urgent that it's worth making a major
design criteron.

Which conveniently ignores that spammers and phishers mutate
to what is in their advantage the second that their first
option is closed.

This scheme won't work on the yahoo groups example I posted yesterday.
nor would it work on mail passing through my stock majordomo2 server.

OK.  It does work for plain text mail passing through yahoogroups.

I asked some friends at Yahoo what fraction of the mail passing through
yahoogroups is plain text vs. HTML.  They need to dig up the numbers, but
their approximate answer is that it's just about all HTML.  Much though
we may hate gooped up HTML mail, any scheme designed primarily for plain
text mail is obsolete.

This is the second post in a row that you ignored the way
that we can trivially get around this problem -- which Jim
explicitly spelled out each time. I already have the
workaround for MIME running. I can have the workaround for
HTML working today if I can convince yahoogroups to actually
subscribe me to a list. The only thing that is "crashing and
burning" are your arguments.

How is this any different from a bunch of signed spam coming from any
other address? ...

The difference is that (and perhaps this is a different topic entirely)
the signature on a mailing list or something trying to pose as one is
likely to be invisible to the recipient.  So unless you can reliably
whitelist real mailing lists (and I contend you can't, without an
external accreditation/reputation service, if you're verifying at the
domain level), you're giving attackers a way to spoof.

Unless there is some aspect of IIM that I've totally missed, all
signatures are invisible in the MUA unless you do something either in the
MUA or in a preprocessor to make them visible. 

And we all know that MUA software never changes, especially
when there are so few new things that users really need in
MUA's these days...

With Mozilla and Evolution I've set up input filters to see
visually which mail is signed, unsigned or signed/broken. It
works really well for seeing whose signing and when there's
a broken signature. And it took me about 5 minutes to cook
the rules up. You should try it.


          Mike


<Prev in Thread] Current Thread [Next in Thread>