On Wed, Apr 8, 2015 at 4:18 PM, John R Levine <[email protected]> wrote:
> Yeah, I can add a giant new MIME part of arbitrary spamminess and it'll > DKIM verify. Can someone explain in detail how a verifier is supposed to > use this new hack. Consider these two messages: > > a) has a one line trailer part saying > "for more information about foo list see http://foolist.org"; > > b) has a 50 line trailer explaining that my credit card has been cancelled > and I need to click on this malware link immediately. > > Both have a valid list-whatever signature. Aren't you going to run them through your spam filter regardless, so the nasty stuff will get caught anyway? Assuming the schemes in those drafts worked, both cases have a valid list-whatever signature AND a valid author signature, AND you know the (a) or (b) added bit is solely the responsibility of the list (and, conversely, you also know where the original content starts and ends). Nobody's saying it's safe in any case, but you do know who did what, and that's more than we know today. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
