I asked one of our large ISP partners what they think about the idea of running multiple verification passes with slightly different data based on MLM-aware heuristics. They were particularly disinterested in the idea of verifying based on something other than exactly the content that arrived.
To cite some parts of the reply: -- snip -- A hacker on a hosting company could add all sorts of stuff in [] and after the end of the l= field which we would happily ignore and tell the user it is a valid message from their bank. Unless we are going to put in the client someway to highlight that the text below a certain point is not necessarily true, in case their bank statement got forwarded and had information added to it, which is also somewhat of an insane idea :). ........ Any ISP/hosted domain that implements a sender signing policy that is really strict despite knowing that users use listservs, etc, is just asking for it anyways, similarly to with SPF. This is another one of those things that works great for the people who aren't lying, but totally fails the stops the bad guys test :) -- snip -- The "after the l=" thing also applies to the last "n" lines of text which you might omit in an attempt to verify successfully a message that was modified by a footer. Anyway, some other data points for thought. -MSK ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace _______________________________________________ dkim-milter-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/dkim-milter-discuss
