If we think it's spam, it's a replay attack, if think it's
good mail it's a mailing list.
Not quite, a mailing list can resign the message if it is DKIM capable.
Sure, but now we're perilously close to saying that all mailing lists have
to upgrade or the DKIM replay detector will whack them, which strikes me
as a total non-starter. That tells me that a replay detector won't be
useful because of all the false positives.
I think that we need to look at the problem naked DKIM solves as being
an adjunct to a spam filtering mechanism that is adaptive. This is a
major culture shock for the security area since we usually try to design
systems that are complete and address every anticipated attack.
This is not what people who are in the spam control business are looking
for, they already have systems that solve 90% of spam problems and they
want to add authentication because it shuts down many of the tactics
used in the remaining 10%.
Sounds about right to me.
R's,
John