On May 8, 2014, at 9:39 AM, John Levine <[email protected]> wrote: >> 2.5. How can you distinguish traffic that came from a mailing list from >> traffic that came from a spammer but disguised it to look like list traffic >> by doing one of the things Terry just listed? >> >> That one point is a showstopper for me. > > Right. One of the axioms about mail authentication is that there is > nothing you can say about yourself to raise your own reputation. You > can only say two things: > > A. This is me. > > B. That isn't me. > > If you want you can subdivide A into the hard to forge varieties such > as DKIM and SPF, and the easy to forge ones such as From: and List-ID:. > > The only wat to raise the reputation of mail is from credible second > or third parties, e.g. reputation data in local spam filters, or > external whitelists. > > No matter how many times people try to go around on this, the axioms > aren't going to change. If you have an overly broad type B > denunciation as from DMARC, the only way to fix it is either to make > the denunciation less broad, which seems unlikely in this case, or > override it. We've seen Gmail doing that already, downgrading AOL and > Yahoo's p=reject to p=quarantine in their own filters. For the rest > of the world whose filters aren't as sophisticated as Gmail's, a > whitelist is the only approach I can see.
Dear John, As things are now, you are right. One of the problems caused by domains requesting restrictive acceptance practices occurs when this disrupts otherwise legitimate communications of their own users. In keeping with the pottery barn rule of "You broke it, you own it", those making request should be prepared to offer necessary inputs to avoid disrupting their own users communication and to not expect this be handled by unfunded external reputations services as you suggest. IANAL, nevertheless there are potential liability issues related to external reputation services recommending the bypass of restrictive acceptance practices. A marketing advantage would be afforded to domains willing to do the "right thing" by indicating to recipients via a lightweight transaction whether a specific domain should be excluded from receiving a reject or quarantine. This would also avoid potentially costly liability concerns. Of course, those domains disrupting legitimate services offered as standard services used in conjunction with paid internet access may expose themselves to possible class-action liabilities as well. ;^) SMTP can not scale expecting receivers or third-party services to bear the burden of affording senders "special" protections incongruent with SMTP. Regards, Douglas Otis _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
