--On 23 October 2009 10:29:17 -0400 "John R. Levine" <[email protected]> wrote:
>>> If, as I suspect, bad guys spoofing their way onto lists past admins >>> unwilling to do inbound filtering is not an actual problem, perhaps we >>> could agree not to waste time inventing mechanisms to solve it? >> >> I don't think that's what people have been worried about. I think >> they've been worried about spammers adding list headers to messages, in >> order to remove the ADSP protection. There's also the possibility of >> spammers subscribing to lists. Still, a well managed list should have a >> good reputation, and I don't see much list abuse. > > This strikes me as an even more arcane and implausible threat. Since > spammers don't add fake list headers to evade filtering now, why would > they start now? Well, they won't do it yet. They may start to do it if it becomes hard to deliver email otherwise. With future widespread MSA, DKIM, ADSP and SPF, I think it's theoretically possible that all mail could be checked for authorisation some day. Therefore, spammers will need to look for ways to sponge off domains with good reputations (newly registered domains won't have good reputations). Forging list-id headers might be a way to do it. > Wouldn't the correct response be for lists to sign their mail to help > recipients recognize real list mail? That has the advantage of requiring > no changes to any IETF document. Absolutely. >> I agree that we don't need additional mechanisms, but think we do need >> better clarity on the distinction betweem dkim=all and dkim=discardable. > > Since ADSP is useless to the 99.99% of domains that are not phish targets > like Paypal (and probably useless even there), that would be an extremely > poor use of limited resources. It would be much more useful to help > people who write and use list software get the lists to sign their mail > so you can whitelist real list mail from lists you know. All sites with good email sender reputation are phish targets these days. We're seeing spear phishing attempts several times per week nowadays. Success generally results in web mail accounts being used to send 419 scams, or further phishing. Phishers value our accounts enough that they'll enter an exchange of emails with a user in order to convince the user to give up a password. I'm not sure that I can see a business case for anyone else to use our addresses in From: headers. Certainly not without prior arrangement, and DKIM delegation can allow that. So, I can see value in ADSP for our site. Anyway, the point of clarifying the distinction is to prevent people making the mistake that you seem to be expecting them to make. > R's, > John -- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/ _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
