On 5 Apr 2011, John Levine wrote: (> > = me) > >We'd like to be able to deploy DKIM, coupled with some ADSP-like protocol > >(The real ADSP is hopelessly inadequate) in order to block all forgeries at > >the MX. *All* forgeries, not just phish. > > Well, as we've established long past the point of boredom, you can't. > And it's not just mailing lists. Don't forget all the mail that bots > can send with real stolen credentials,
Small semantics issue here. You are using a vertical "all" (eg: "With this ADSP-alike, it will be beyond impossible for a @paypal.com mail to get through that is not sanctioned by PayPal's legitimate officers."). But I meant a horizontal "all" (eg: "With this other ADSP-alike, @paypal.com forgeries are reasonably expected not to get through, and neither are @gmail.com forgeries or @iecc.com forgeries."). By stating "all", I was distancing myself from those here who consider it Not A Problem that Gmail is never going to deploy "dkim=discardable", since Gmail is "not a phishing target". > and mail to a friend, blah > blah. (This is not an invitation to reargue those points.) There is a difference in kind between mailing lists and all other "friendly forgery" cases such as F2F. Providers of F2F will likely give up and use original From: addresses before end-users give up and (force their BOFH to) undeploy ADSP. But the mailing list problem for ADSP is even bigger than SPF's forwarding bugaboo -- it utterly scares off meaningful senderside deployment. ---- Michael Deutschmann <[email protected]> _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
