Attempted summary (was: Re: [ietf-dkim] DKIM and mailing lists)

Douglas Otis dotis at mail-abuse.org
Mon Jan 23 09:55:14 PST 2006 

On Jan 23, 2006, at 7:35 AM, Stephen Farrell wrote:
>
> Please correct where I've missed things, or gotten stuff wrong.
>
> Where a particular message seems to contain a bunch of potentially

The mailing-list summary missed what should be serious concerns  
related to replay abuse, whether it is a list-server, free email- 
address provider, newsletter, or large domain.


Even aggressive rate restrictions, outbound filtering, and banishing  
offending email-addresses will not offer an effective solution for an  
abusive replay problem.  When a common key is used, key revocation is  
not practical.  Per-user keys or per-user policies will impact the  
related overhead, as both approaches will tend to overwhelm  
caching.   A bad actor is capable of sending replays from tens of  
thousands of sources simultaneously.  The use of a user policy as a  
means of control also unfairly impacts use of the email-address in  
cases where the recipient is the bad actor.  Even rapid responses  
from abuse reporting to pushing out altered key or policy with  
extremely short TTLs will still likely be too slow to be an effective  
deterrent.  Short TTLs with per-user records will likely increasing  
the related overhead further still.

Eliot suggested list-servers (free email-address providers,  
newsletters, e-invites, photo-kiosks, etc.)  be picky about who they  
allow to use their services, but did not provide a description of  
that process.  The current practice exercised by list-servers is the  
use of double opt-in and banning those abusing their privileges.   
Neither of these approaches protects the reputation of the list- 
server signature, or the reputation of the signing domains that pass  
through the list-server without the signature being overlaid with  
verification results.  A bad actor can issue a series of links, much  
as seen in the prior message, which look okay until being used in an  
abusive replay.

When there is replay abuse, how should the sender react?

What obligations do list-servers have with respect to their  
participants in regards to a replay abuse problem that may affect the  
reputation the signing domains sent through the list?


-Doug

P.S. Could you enclose your links in <> rather than [], thanks.

More information about the ietf-dkim mailing list