This isn't really a reply. It's a comment that Steve's note was sent a week ago and I'm frankly impressed that it has received no replies, since it contains the most salient observations about the current "problem" being discussed I've seen.
I've included all of its body in this posting, in the hope that folks will read it again more carefully. d/ On 4/23/2010 10:06 AM, Steve Atkins wrote: > > On Apr 23, 2010, at 9:41 AM, John Levine wrote: > >> There's no new semantics, deep or othterwise. Yahoo is treating the >> signature as an assertion of responsibility -- it has my signature, >> the recipient complained about it, they have reason to think I'm not >> evil, so they sent me the complaint. All that is fine, but the >> problem is that for list mail, I'm not the one who can do anything >> about it. > > In this particular case, for you, that's true. It's not true in general. > >> Mike asked how one could tell whether this was a complaint about all >> mail from the list, or just mail from me. I have my suspicions, but >> I have no way to tell. The only party who can is the human or >> mechanical list manager who can look the pattern of complaints and >> figure out the person is complaining about all the mail from the list, >> in which case they should unsub him, or he's just comnplaining about >> mail from me, in which case they might want to kick me off the list >> if they agree with the complaints. >> >> If a list adds its own signature and leaves the contributor's, now >> it's up to heuristics by the recipient to guess what to do. > > The recipient can use heuristics, if that works for them, but > it's not the only option. > >> For list >> mail, the correct guess is to treat the list as responsible. > > Often. Maybe even usually. But not in all cases. > > As one theoretical example, if I compromise a webmail > provider and use accounts there to sign up for yahoo groups > mailing lists, then send spam to them, then the webmail > provider is going to want to know about it. > > Or if I get a b-tard infestation trolling mailing lists I'll want > to know about it. > >> Wouldn't >> it be a better idea to avoid the guessing? > > Yes, by notifying all the responsible parties who have set up a > DKIM based FBL and who have valid DKIM signatures on the > message. > > Part of the overhead of handling an FBL is to decide which > reports to pay attention and which aren't. In your case you'd > (probably) want to ignore any reports about mail sent from > your legitimate users via mailing lists, via some heuristic that > works for you. > > But you're the only one who can make that decision, so you > can't push that decision off on to Yahoo or mailing list providers > in general. I don't want them to make the decision to not > send reports to responsible parties who do want the reports > and can handle them. > > It's not too hard for anyone handling inbound FBL streams > to categorize them mechanically, and automate their policies > to ignore reports they believe are irrelevant, so the overhead > for this sort of FBL report is low. If the mailing list manager strips > signatures, they lose a source of data and don't get to make > that decision. > > (As for reputation - a big part of reputation is the content that > is sent. If a particular list subscriber consistently sends mail > that other list subscribers complain about then it's not > unreasonable that that may damage the reputation of that > particular list subscriber as well as that of the list.) > > Cheers, > Steve > > > _______________________________________________ > NOTE WELL: This list operates according to > http://mipassoc.org/dkim/ietf-list-rules.html > -- Dave Crocker Brandenburg InternetWorking bbiw.net _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
