On Thu, 2005-02-10 at 16:53 -0500, Sam Hartman wrote:
"John" == John R Levine <johnl(_at_)iecc(_dot_)com> writes:
John> This is the Project Lumos fallacy. I have no interest whatsoever in
John> distinguishing between a domain's nice users and its nasty users. I
John> believe that each domain is responsible for keeping its users in
line, and
John> the reason that signatures are useful is to help me alert domains
about
John> undesirable mail they've sent. If they send a lot of undesirable
mail,
John> I'm going to reject the whole domain, not do their filtering for
them.
As discussed in section 4.1 of Russ's draft, a domain cannot know how
widely a message will be distributed. Once I have a signed copy of
that message I can choose to distribute it much more widely than the
sending domain might like me to do.
That's true _regardless_ of whether there's a signature
there or not. That's why characterizing this as a replay
attack fundamentally misses the point about mail distribution:
with SMTP, that's a feature not a bug.
Fundamentally what you are asking for is incompatible with ISPs that
will provide service to users until those users violate the terms of
service. The user can take one action--signing one message and widely
distribute that signed message.
True again regardless of whether it's signed or not.
For a large ISP this will happen enough that your strategy will end up
deciding all the large isps have unacceptable reputations.
This is, of course, the new wrinkle: that a receiver can
actually determine with some reasonable accuracy that it's
source was a particular domain. But for large ISP's, this
strikes me about as credible as threats of usenet death penalties
and their ilk: nice in theory, hard in practice. The high
likelihood, in my mind, is that large ISP's aren't going to
get accidentally blacklisted just because some spammer
xerox's their message under the ISP's outgoing signing
machine; that makes the implicit assumption that:
1) ISP's do nothing to police their user base [*]
2) That the amount of spam that does slip through vs ham
will be actually tilt a reputation
3) That the utility of interconnection is so low that
you won't slag your user help desk with calls about
why you can't get mail from, oh say, hotmail anymore.
I find all of these questionable. On the other hand, what
it should provide is the ability to single out very quickly
is disposable spam domains and blacklist them. There the
correlation will probably be very high, and the utility
of interconnection very, very low.
Mike
[*] and if ISP's don't do things to police their user base...
so much the better that you can determine that it really
came from them.