In <[EMAIL PROTECTED]> Steve Atkins <[EMAIL PROTECTED]> writes:
> On Jul 27, 2006, at 12:08 PM, wayne wrote: > >> In <[EMAIL PROTECTED]> Paul Hoffman >> <[EMAIL PROTECTED]> writes: >> >>> "I sign some mail" doesn't tell the recipient anything useful. >>> >>> What am I missing? >> >> It says that you should look at email without a signature as being >> "acceptable", unlike a "I sign all mail" which without a signature is >> quite questionable. > > How does that differ from a sender that doesn't have the > "I sign some mail" flag set? heh. I knew as soon as I posted my too-short email that I would get a reply like this. I was in the process of composing a reply to myself when yours came in. Yes, signatures will be broken in transit and it will be a long time before people can very safely reject email based on not having a valid signature, even if you have an "I sign everything" policy. This is why I said that it is only "questionable", not "rejectable". However, an "I sign everything" policy still gives a lot of important clues. First, a lot of spam and email worms will not have any signature, just because it takes more work to do. Email that gets broken in transit will still have a valid selector and such, and that selector is going to vary quite a bit between domains. It isn't trivial to just throw a signature into your spam/worm that appears to have been broken in transit. Secondly, the there is going to be a fair amount of consistency about which MTAs will send you email with broken signatures and which won't. You can develop a list of mailing lists and such that are known to break signatures, and you can combine that with existing lists of known spam sources. Combining the two, you can find determine which email is likely legitimate and which is likely spam and put that into your spam scoring system. As time goes on and more people clean up their email and stop breaking things in transit, this technique is going to become easier and more reliable. Lastly, there are some domains that can implement an "I sign everything" policy much easier than others. A bank might well be able to say that *no one* should send email through any other sources other than their approved MTAs. You can't use your ISP if you are working at home, you can't use webmail. It is a firable offense. Other domains simply can not force such policies on their users any time in the foreseeable future; ISPs and webmail providers spring to mind. I think there are also going to be some domains that only sign, and thus risk their reputation on, some email, but not all of it. You can, say, sign all transactional email, but not sign stuff from the marketing department. Or, an ISP could only sign email that gets a good grade on their outgoing spam filter system. So, I do think that some value can be extracted from the distinction between an "I sign everything" policy with an "I sign some email" policy. -wayne _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
