Michael Thomas writes:
> I'm afraid that there's not much consensus on how to deal with the
> mailing list issue; the people who say "resign" are guessing as there
> is little/no evidence that resigning is actually a viable strategy.
>From the point of view of the mailing lists, resigning is *
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Feb 7, 2007, at 1:39 AM, Stephen J. Turnbull wrote:
> Certainly. What we really want is policy agents that are smart enough
> to say to the user
>
> This message has a signature which verified successfully and one
> which failed. According to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Feb 7, 2007, at 4:31 AM, Stephen J. Turnbull wrote:
>> Let me float this though: how about a "signature friendly" knob that
>> configures the list to not do things that are known to be harmful to
>> signatures (including s/mime and pgp for that mat
Bob Puff wrote:
> I confess not having read up on Domain Keys.. I did get into SPF a little, but
> understand its flaws as well.
>
> If a bad DK isn't bad, then how is this supposed to help spam? I mean, if the
> mere presence of some signature in the headers will increase the likelihood of
> an e
> What should MM2.1 do now? Here's a proposal for 2.1.10: Add an
> mm_cfg.py variable that controls whether DKIM headers are stripped
> or not.
+1, with it defaulting to strip the DKIM.
Bob
___
Mailman-Developers mailing list
Mailman-Developers
Joe Peterson wrote:
> With DKIM, according to my understanding, you are supposed to treat a
> "bad" sig the same way you'd treat "no" sig. So it would neither help
> nor hurt to have a bad signature; it would be like having none (or a
> missing sig).
>
> Personally, I think DKIM would be a whole l
Barry Warsaw writes:
> Part of me agrees that this is what you'd like to see, but my gut
> tells me that this will never work in practice. First, no one but an
> email geek will even understand the question, let alone know how to
> answer it,
Agreed. It's a stalking horse for the BCP;
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Feb 7, 2007, at 11:40 AM, Stephen J. Turnbull wrote:
> Barry Warsaw writes:
>
>> Part of me agrees that this is what you'd like to see, but my gut
>> tells me that this will never work in practice. First, no one but an
>> email geek will even unde
Barry Warsaw writes:
> What should MM2.1 do now? Here's a proposal for 2.1.10: Add an
> mm_cfg.py variable that controls whether DKIM headers are stripped or
> not. I think Mark suggested that this should be a site-wide
> variable, and I tend to agree.
I've expressed my reservations r
Stephen J. Turnbull wrote:
> Michael Thomas writes:
>
> > I'm afraid that there's not much consensus on how to deal with the
> > mailing list issue; the people who say "resign" are guessing as there
> > is little/no evidence that resigning is actually a viable strategy.
>
> From the point of vie
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Feb 7, 2007, at 11:49 AM, Stephen J. Turnbull wrote:
> Barry Warsaw writes:
>
>> What should MM2.1 do now? Here's a proposal for 2.1.10: Add an
>> mm_cfg.py variable that controls whether DKIM headers are stripped or
>> not. I think Mark suggeste
Barry Warsaw wrote:
> What should MM2.1 do now? Here's a proposal for 2.1.10: Add an
> mm_cfg.py variable that controls whether DKIM headers are stripped or
> not. I think Mark suggested that this should be a site-wide
> variable, and I tend to agree. The reasoning being that all the
> o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Feb 7, 2007, at 11:45 AM, Michael Thomas wrote:
> I'm not saying I think that resigning is a Bad Thing, I'm saying
> that it's
> speculative whether it's a Good Thing. You seem to keep ignoring the
> inherent attack involved with resigning:
>
> F
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
BTW, synchronicity is a weird thing. A friend of mine -- totally
unaware of the current discussions -- just sent this to me:
http://it.slashdot.org/comments.pl?sid=218726&cid=17752748
LOL.
- -Barry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.
Joe Peterson wrote:
> Michael Thomas wrote:
>
> 2) The outgoing MTA (sendmail) milter seemed to only want to sign emails
> that did *not* already have a signature. Therefore, Mailman enabled
> them to re-sign by removing the old (presumably invalid anyway)
> signature. At least this way *some*
Barry Warsaw wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On Feb 7, 2007, at 11:45 AM, Michael Thomas wrote:
>
>> I'm not saying I think that resigning is a Bad Thing, I'm saying that
>> it's
>> speculative whether it's a Good Thing. You seem to keep ignoring the
>> inherent attack
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Feb 7, 2007, at 5:06 PM, Michael Thomas wrote:
>>> I'm not saying I think that resigning is a Bad Thing, I'm saying
>>> that it's
>>> speculative whether it's a Good Thing. You seem to keep ignoring the
>>> inherent attack involved with resigning
Michael Thomas wrote:
>Barry Warsaw wrote:
>>
>> The reason From-forging may not be an effective strategy for the
>> spambot though is because part of the point is to spoof the From
>> header so that it looks like the spam is coming from someone you
>> know. OTOH, how many people would smell s
On 2/6/07 5:51 PM, "Bob Puff" <[EMAIL PROTECTED]> wrote:
> If a bad DK isn't bad, then how is this supposed to help spam? I mean, if the
> mere presence of some signature in the headers will increase the likelihood of
> an email being delivered (or at least help it NOT be tagged as spam), surely
On 2/7/07 7:32 AM, "Barry Warsaw" <[EMAIL PROTECTED]> wrote:
> Either they have a milter that refuses to
> resign or they have a working milter. If their milter doesn't
> resign, then less harm is done by stripping the header. If their
> milter does resign, then less harm is done by allowing it
Michael Thomas wrote:
>
>Frankly I think you'll be screwed even if you remove them too; removing
>them will not allow you to fly below the radar. Consider if Y! and Gmail
>had a bilateral agreement that they expect each other's mail to be signed
>and to put it in the bit bucket if it wasn't. It mak
On 2/7/07 8:46 AM, "Barry Warsaw" <[EMAIL PROTECTED]> wrote:
> Should we strip DKIM by default or not?
Not strip by default.
Even though that changes the default vs the most recent Mailman, it leaves
the default alone for everyone who jumps to 2.1.10 from earlier versions.
--John
__
On 2/7/07 9:19 AM, "Barry Warsaw" <[EMAIL PROTECTED]> wrote:
> OTOH, how many people would smell something fishy if this
> message had this header:
>
> From: Barry Warsaw <[EMAIL PROTECTED]>
With many MUAs (including the vast majority of different MUA programs and
versions) that would pass total
John W. Baxter wrote:
>On 2/7/07 8:46 AM, "Barry Warsaw" <[EMAIL PROTECTED]> wrote:
>
>> Should we strip DKIM by default or not?
>
>Not strip by default.
>
>Even though that changes the default vs the most recent Mailman, it leaves
>the default alone for everyone who jumps to 2.1.10 from earlier v
Michael Thomas wrote:
>
>On Wed, 7 Feb 2007, Mark Sapiro wrote:
>
>> Mike talks about the l= parameter allowing adding trailing content, but
>> I don't see Y! and Gmail using it, and even if they did, how would we
>> (could we) add a footer without breaking either the signature or the
>> MIME struc
Barry Warsaw writes:
> > Make sure no spam gets through your double opt-in list, and you're
> > golden, no?
>
> Ideally yeah. But python.org does get reported occasionally since
> while I think we do a pretty good job of blocking most spam, some
> nasties gated from Usenet still get th
Michael Thomas writes:
> I'm not saying I think that resigning is a Bad Thing, I'm saying that it's
> speculative whether it's a Good Thing. You seem to keep ignoring the
> inherent attack involved with resigning:
Have you actually read my posts, or just enough to feel defensive?
I have speci
27 matches
Mail list logo
