[ietf-dkim] Replay isn't the problem, spam is the problem

Amir Herzberg herzbea at macs.biu.ac.il
Tue Aug 9 07:44:02 PDT 2005 

John R Levine wrote:
>>Replay protection allows automated reputation management, since it
>>provides a signed proof of misconduct.
> 
> Oh, look, now we're back full circle.  Please explain how your reply
> protector can tell the difference between an evil replay and a normal
> standard garden variety mailing list, short of some giant whitelist of
> every mailing list forcing every piece of dusty mailing list software to
> upgrade, or using the same heuristics we use now (which, of course, don't
> need a DKIM replay detector to work.)
When we receive a message from forwarder/mailing list, it will normally 
be without replay protection, just like with current DKIM. Recipient can 
now determine how to handle it. Some may accept it - as in current DKIM 
- I think that's acceptable policy. Others may restrict such messages to 
  known mailing lists etc., possibly using white/black lists, etc. Few 
may flatly discard such mail; that is also an acceptable recipient 
policy, even if a bit harsh.

I definitely don't expect every mailing list software to upgrade, 
although I do envision an optional mechanism allowing a mailing list to 
ask senders to pre-authorize distribution of their message to a specific 
number of recipients in the list. However, I am not even sure we need to 
define such mechanisms at this point.
> 
> You're also making the assumption that spammers will blast out many
> identical messages with the same signature.  They stopped doing that in
> about 1999, and nobody's suggested what would make them resume doing so.
No I don't. DKIM may _motivate_ spammers to send the same messages, 
signed by some victim sending domain, to many recipients. Replay 
protection just protects the sending domains from losing their 
reputation due to such risks, and the destinations from receiving such 
spam on the basis of the reputation of the senders.

-- 
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com
Try TrustBar - improved browser security UI: 
http://AmirHerzberg.com/TrustBar
Visit my Hall Of Shame of Unprotected Login pages: 
http://AmirHerzberg.com/shame

More information about the ietf-dkim mailing list