In article <cabugu1ova-4w49+-6u_hycbpjv39xzh0ghhdug2d1sopwqe...@mail.gmail.com> you write: >-=-=-=-=-=- >> > ARC lets the recipient look back and retroactively do the filtering >> > the list didn't. >> >> The concern about the creator of an ARC chain spoofing the purported >> origin of a message is valid. > >By "creator" do you mean "initiator" (aka, the source of the first ARC set, >i=1)?
I think it't the other way around. Let's say you get a message with three ARC seals. For i=3 both the AMS and AS headers should validate, since the message came directly from the entity that put on that seal. For i=1 and i=2 the AS should validate but the AMS probably won't. The cv= tag in each AS header tells us whether the AMS was good when it arrived at that intermediary, so the i=1 and i=2 seals are only as good as the i=3 signer's reputation. I were a certain kind of bad guy, I would take the two seal ARC chain from a message from a virtuous sender, replace the message body and >From and Subject line with my spam, add a fresh new i=3 seal and blast it out. That ARC chain is 100% valid, even though the messsage is spam. That's why (as Kurt knows) you only pay attention to ARC seals from senders that are otherwise credible. -- Regards, John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
