On 9/19/10 7:46 PM, Michael Deutschmann wrote: > On Sun, 19 Sep 2010, Douglas Otis wrote: >> One should not authorize any service that redistributes messages without >> first verifying recipient subscriptions. [...] >> Spammers would "subscribe" their victims to a mailing-list, and then >> submit their messages and have it redistributed by the mailing-list. > But if the recipient site happens to have the information it would need > anyway to publish TPA on it's own, they can filter out such attempts > easily. While they would be agnostic as to whether the putative sender > really subscribed to the list, they would know that the *recipient* isn't > subscribed and thus the message is bogus. It seems this is making two assumptions that are likely incorrect:
1) receiving domains know which mailing-lists their users have subscribed. 2) receiving domains reliably recognize mailing-list messages. A sender benefits directly when accurate third-party information is available to receivers that help in preventing their Author-Domain being spoofed. There is simply nothing that would suggest receivers are able to divine which third-party sources might have been legitimately used, and which can be trusted with respect to Author-Domain spoofing. > And they can do such filtering even if the putative sender publishes no > ADSP at all. However, if ADSP is absent or "dkim=unknown", this > protection isn't worth much, since forgeries that make no pretension to be > list traffic must be presumed innocent. Agreed. This also needs to include non-participating list-traffic as well. There will not be a flag day anytime soon where all mailing-lists will always act in accordance with some new convention. > And remember, many big sites will never compile the information needed to > display a complete TPA policy. Without accomodation (ie: except-mlist), > "dkim=unknown" is all they can safely publish. Disagree. While there are many domains offering third-party email services, this still represents a finite dataset. In contrast, the domains used by bad actors represent an infinite dataset. In addition, the TPA-Label scheme allows signatures of "big sites" that lack ADSP assertions to protect a different Author-Domain. This protection requires control of the email-address be confirmed by the submitter. The TPA-Label scheme can represent concerted community efforts, organizations that specialize in providing third-party information, or information captured from user notification given to their submission administration. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
