On 5/10/10 4:50 PM, John R. Levine wrote: >>> No, all it says is "we signed this mail." A signer with a good >>> reputation will presumably rarely sign mail where the From: address >>> actively misidentifies the sender, but that's a second order effect. >>> >> Right, and because the domain owner has signed the email, they can be held >> responsible for abuse. At least, to a greater extent than when the mail >> hasn't touched any system that they have any control over. >> > It is certainly reasonable to say that the signer has a good reputation, > so we will accept his mail. But that's different from saying that the > signer has a good reputation, so the From: address must be "real". > Agreed.
For those looking for some hybrid scheme, it should be noted SPF does not authenticate originating domains. Domain reputation based upon SPF authorization is prone to exploitation, since many domains share common servers. Ambiguities caused by shared IP address authorization makes it impractical to respond effectively by name. In addition, Authentication-Results headers fail to capture the IP addresses of servers publicly issuing messages (over port 25) which also impairs IP address reputation checks of transactions handled by third-parties, such as mailing-lists. >>> Once again, this sounds like a solution searching for a problem. I've >>> done the occasional bozofiltering in mailing lists, but because the >>> people were bozos, not spammers. >>> >> The problem is reputation assignment. Different recipients (of mail from the >> same list) will have different views of the sender's reputation. >> >> But, the problem is real, and recognised. Mailing lists break signatures. >> > It is certainly a fact that mailing lists break signatures. But there are > differences of opinion whether it's a problem. Although I've seen plenty > of assertions that it's a problem, we're a bit thin with real life as > opposed to hypothetical scenarios where the broken signature leads to bad > results. > > The only one I've seen so far is the ADSP+list -> lost or rejected mail. > I would say that is misuse of ADSP, not a list problem, since we were > quite aware of it and in Appendix B of RFC 5617 we say not to do that. > The intended use of restrictive ADSP is to allow domains a means to limit acceptance of potentially misleading messages. When is it okay for a trusted entity to permit acceptance of potentially misleading messages, and wouldn't use of additional domains lead to recipient confusion and invite more abuse? Email reputation checks seldom reflect whether some From email addresses might be misused. Use of DKIM in conjunction with a domain specific third-party authorization mechanism provides domains an effective means to better protect their recipients. Lacking a domain specific third-party authorization scheme makes ADSP unsuitable for most domains. Abuse is not limited to just transactional messages. Being limited to transactional messages affords too little coverage to foster broad adoption. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
