--On 8 October 2009 00:21:08 +1100 Daniel Black <dan...@cacert.org> wrote:
we know the message came from a mailing list,
this actually is the hard bit. Options for the recipient verifier are:
1. has a List-ID (or other signature) - must be a mailist. This allows
email spoofers just to add List-ID tags or a simple email characteristic
to bypass checking.
2. manage a whitelist of maillists that have subscribers in the domain,
that can't be easily spoofed. Pretty easy for small domains but many
thousand user bases requires more admin time or run the risk of a user
whitelisting a spoofer IP address.
3. originator specified third party signatures - discussion (re)-starting
on IETF WG list on this. Bit labour intensive on the sender part.
(http://mipassoc.org/pipermail/ietf-dkim/2009q4/thread.html)
Well, my reputation assessment scheme says you should check the DKIM
signature added by the list's domain, if there is one. You only trust the
list if you have reason to.
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
_______________________________________________
Mailman-Developers mailing list
Mailman-Developers@python.org
http://mail.python.org/mailman/listinfo/mailman-developers
Mailman FAQ: http://wiki.list.org/x/AgA3
Searchable Archives:
http://www.mail-archive.com/mailman-developers%40python.org/
Unsubscribe:
http://mail.python.org/mailman/options/mailman-developers/archive%40jab.org
Security Policy: http://wiki.list.org/x/QIA9
