On Apr 23, 2010, at 9:41 AM, John Levine wrote: > There's no new semantics, deep or othterwise. Yahoo is treating the > signature as an assertion of responsibility -- it has my signature, > the recipient complained about it, they have reason to think I'm not > evil, so they sent me the complaint. All that is fine, but the > problem is that for list mail, I'm not the one who can do anything > about it.
In this particular case, for you, that's true. It's not true in general. > Mike asked how one could tell whether this was a complaint about all > mail from the list, or just mail from me. I have my suspicions, but > I have no way to tell. The only party who can is the human or > mechanical list manager who can look the pattern of complaints and > figure out the person is complaining about all the mail from the list, > in which case they should unsub him, or he's just comnplaining about > mail from me, in which case they might want to kick me off the list > if they agree with the complaints. > > If a list adds its own signature and leaves the contributor's, now > it's up to heuristics by the recipient to guess what to do. The recipient can use heuristics, if that works for them, but it's not the only option. > For list > mail, the correct guess is to treat the list as responsible. Often. Maybe even usually. But not in all cases. As one theoretical example, if I compromise a webmail provider and use accounts there to sign up for yahoo groups mailing lists, then send spam to them, then the webmail provider is going to want to know about it. Or if I get a b-tard infestation trolling mailing lists I'll want to know about it. > Wouldn't > it be a better idea to avoid the guessing? Yes, by notifying all the responsible parties who have set up a DKIM based FBL and who have valid DKIM signatures on the message. Part of the overhead of handling an FBL is to decide which reports to pay attention and which aren't. In your case you'd (probably) want to ignore any reports about mail sent from your legitimate users via mailing lists, via some heuristic that works for you. But you're the only one who can make that decision, so you can't push that decision off on to Yahoo or mailing list providers in general. I don't want them to make the decision to not send reports to responsible parties who do want the reports and can handle them. It's not too hard for anyone handling inbound FBL streams to categorize them mechanically, and automate their policies to ignore reports they believe are irrelevant, so the overhead for this sort of FBL report is low. If the mailing list manager strips signatures, they lose a source of data and don't get to make that decision. (As for reputation - a big part of reputation is the content that is sent. If a particular list subscriber consistently sends mail that other list subscribers complain about then it's not unreasonable that that may damage the reputation of that particular list subscriber as well as that of the list.) Cheers, Steve _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
