Douglas Otis wrote: > On 9/2/10 4:26 PM, J.D. Falk wrote: >> Some of us have a pretty good idea. The people who design >> reputation systems don't do so in a vacuum; they're constantly >> reacting to spammers' latest tricks. If massive unauthorized >> replaying of unmodified DKIM-signed messages ever becomes a real >> issue, they'll adjust accordingly.
> Were DKIM domains to become a primary basis for message acceptance, then > replayed messages will become a real issue. The question is "Then what > strategy is needed next without expecting the world to change how > applications handle email." One answer might be TPA-Labels applied at > the transport level during message exchange. :^) This might be related. Let me use my bellsouth, now AT&T service provider cell phone accounts as an example. Over the years, they tried to move customers over to electronic billing or statements. (Note: My first company, OptiSoft, developed and sold turnkey ODSAR (Optical Document Scanning and Retrieval) systems, so I know a little about the logistics, cost savings, etc for the "paperless" market place.). Anyway, I continue to refuse to sign up and be associated with any online or email based billing/statement for security reasons. But eventually, I guess because people were not signing up on their own (OPT IN), they began to send the billing statement via email anyway with marketing URL hooks to "turn on it on". I have continued to ignore it but I occasionally check the headers to see what they are using. I was expecting them to be more proactive with DKIM (or Domainkeys) but at first I didn't see it. I asked Tony Hansen about it. He indicated they will support POLICY once adopted but did not say much beyond that. But I recalled a few times when it did become to have DKEY or DKIM, don't recall which. Now I just got my new statement and there is no DKIM/DKEY but it has one of those X-YMailISG header lines. I know AT&T begun to outsource their U-VERSE and perhaps entire email users to YAHOO. But it always me wonder why did not use at the very least a 1st party signature. That alone would of gave me more "trust" in these electronic statements. Now there is no trust whatsoever as anyone can spoof YAHOO and that X-YMailSG header. It seems to me they are relying on users using the online interface where this would be more trust worthy and view Offline copies (via POP3 pickups) to be less trust worthy in their eyes, I guess. It seems to be what they did was promote replay spoofs. So why not use a 1st party signature? If AT&T is my cell provider, and they are sending billing statements with URL hooks to join 'Something' and other stuff, they should be more concern about what 3rd party clearing house (YAHOO does a long time PR problem as a source for spam) they use and understand not all users are online. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
