On Sep 12, 2006, at 11:26 AM, Hector Santos wrote:
Hector wrote:
That's fine by me Wietse, but keep in mind that you mistaken by
continuing to use a magic wand to change an apple into an orange,
by using reputation is part of the total solution when in fact,
it is suppose to be out of scope in this WG.
Hector,
You have completely missed what was being said. Where do you even
see the word reputation?
Semantics. Any predefined Trusted List, black or white, concept as
Wietse mentioned above, is a "reputation" concept.
No they are not. I may verify the identity of foobar.com when I see
them return a pass-phrase entered onto their web page, but that does
not mean this provides any clue regarding their reputation. If I
decide to enter their name into my address-book for example, that
will allow me to know when someone in my address-book has sent me a
message. Whether they are a spammer and should be blocked is a
completely separate decision made elsewhere for a completely
different purpose.
It means you KNOW something about them as oppose when you would not
nearly 80% of the times which is where most of the internet email
problems lies with abusive malicious anonymous (unknown) senders.
Stop thinking DKIM + Policy allows spam to be blocked. You really
need to drop that concept.
The goal is to prevent spoofing (and not just exact name spoofing),
which is clearly a component of the charter. Spoofing is also nearly
100% of the time dependent upon existing relationships. Surely you
have noticed this aspect of phishing? Often a phish will warn of a
need to update your account, or that your account has been blocked, etc.
Wietse's concept would permit detecting all these possible spoofs
without reliance upon reputation. Only those that might receive an
annotation would require any additional processing.
A retain email-address found in the address-book is not reputation.
Think of this as being a known identity. And yes, this identity will
not apply to 80% of the message being sent. That is exactly why this
approach works! Only those identities that are known (reputations be
damned) receive an annotation.
You on the other hand want to block only exact name spoofing if:
- The From email-address domain wishes to endure the loss of common
services.
- The verifying domain decides to grope for policy.
This hunting or groping process is required for nearly every email as
well, and not just those that not signed, and may even be required
for those that are signed, such as those from mailing-lists. Whether
the email-address is known or not known, every From email-address
domains must be searched and the signature verified. : (
The alternative provides complete protection using highly selective
processing. : )
-Doug
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html
