On Tue, Oct 27, 2009 at 10:21:03PM +0000, Vernon Schryver wrote: > > From: Gary Mills <[email protected]> > > To: Vernon Schryver <[email protected]> > > Cc: [email protected], [email protected] > > > > Reputations are not fungible or even transitive. Real reputations are > > > individual, and that implies that each user must decide which senders > > > (and so DKIM or other headers) are sending solicited or tolerated bulk > > > email. > > > > If the sender works for a bank, for example, they are subject to the > > bank's policies on e-mail. Employees of an organization are less > > likely to send spam than are customers of an organization, for example. > > Companies can fire employees, but they don't want to alienate their > > paying customers. > > I fear the definition of "spam" there is not any and all unsolicited > bulk email, but the self-serving nonsense of lawful opt-out email > advertisers as fraud and other illegal junk but excluding lawful > unsolicited bulk email advertising.
Yes, banks have marketing departments too. However, they also listen when their customers complain. This can't be a big problem. > My personal experience with > very large banks and credit card companies is that they use exactly > the same ESPs to send junk email I explicitly don't want as to send > "security alerts" and similar that I probably should want. Yes, I've seen that too. The ease of contracting out your e-mail announcements makes it attractive. One used here even wanted our signing key so they could make their mail look as if it came from us. > There's > nothing forged about junk advertising email that you've explicitly > declined from your bank or stock broker. That makes using DKIM or > anything else to prevent forgery ineffective. That is actually a big step forward. Once an organization signs their e-mail, they become accountable for it simply because it can't be forged. If they don't respond to complaints, they can be delisted or downgraded in a reputation database. > Concerning the general value of DKIM: > - Spam from Google that has DKIM signatures, like the wanted email as > well as the spam from my big bank and credit card company. This is true. However, the origin of the e-mail is no longer in question. `[email protected]' does respond to complaints. So far, we haven't whitelisted Google by DKIM signature, although we could. > - Should I spend the time and effort to make this mailing list DKIM > signed, or would my time be better spent putting DNSSEC signatures > on rhyolite.com and dcc-servers.net using the ISC DLV registry? > (I've spent the few minutes needed to sign the zones, but haven't > mustered the ambition to sign up at https://dlv.isc.org/ ) I assume these are unrelated actions. If you signed the mailing list, it would make it easier for me to whitelist it. > - Are any of the ~830 mailing lists at umanitoba.ca found with an > obvious search DKIM signed? What about other mail from > cc.umanitoba.ca? Or would your time be better spent getting > DNSSEC going on umanitoba.ca? So far, we are not signing outgoing-email. It's easy for me to enable it, though. Some uses of e-mail may break when I do that, but eventually I'll have to. This points out a problem, of course. Senders have to sign e-mail in order for recipients to check it. [..] > A DNS blacklist (DNSBL) is as much a reputation system as any other. > The IP addresses in most DNSBLs are as practically unforgable as DKIM > signatures. The problems with DNSBLs are that they list bad guys instead > of good guys and IP addresses are a little (but not a lot) more subject > to change than domain names. In a sense that it true. I'd prefer something independant of a DNSBL so I can use both together. -- -Gary Mills- -Unix Group- -Computer and Network Services- _______________________________________________ DCC mailing list [email protected] http://www.rhyolite.com/mailman/listinfo/dcc
