ietf-mailsig
[Top] [All Lists]

Re: MASS Security Review document

2005-02-11 17:25:27

I think you're assuming something about the way the reputation system
works; a large domain will hopefully still have an overwhelming majority
of "desirable" messages and that might factor into the reputation too.

Actually, it varies a lot.  For example, I find that even though I get a
lot of spam from AOL, it's vastly outweighed by the good mail, but the
spam from Disney's go.com is bad enough that they're on my loser list. Big
domains earn varying reputations just like little domains do.

There's a related attack that actually worries me more.  Suppose someone
sends some spam to (for example) an ietf.org mailing list, where it gets
[re-]signed.  If this message is replayed widely, it looks like ietf.org
is generating lots of spam, and it didn't even come from a user with an
ietf.org address.

Uh, that's how it's supposed to work.  If ietf.org manages their mail
system so poorly that they remail and sign a lot of spam, they deserve
whatever poor reputation that earns them.  If recipients, for their own
reasons, want to accept mail from that domain anyway, I don't know anyone
who thinks that whitelists are going away.

But one thing I think hasn't been addressed adequately in any of the
proposals is whether or how a re-signer of a message indicates whether
the message they got had a valid signature (and from whom).

Why would that be useful?  Consider these three scenarios:

List A is manually moderated by a live person who checks all the messages
before they're sent out.

List B gives passwords to its users which they have to include in mail for
it to be resent.  (The list software strips the passwords, of course.)

List C resends all mail from anyone that has a valid IIM signature,
subscriber or not.

I would expect lists A and B, using techniques unrelated to signatures
that have been around for many years, to earn much better reputations than
list C.

Regards,
John Levine, johnl(_at_)iecc(_dot_)com, Primary Perpetrator of "The Internet 
for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Mayor
"I dropped the toothpaste", said Tom, crestfallenly.


<Prev in Thread] Current Thread [Next in Thread>