Attempted summary (was: Re: [ietf-dkim] DKIM and mailing lists)
dotis at mail-abuse.org
Mon Jan 23 11:05:50 PST 2006
On Jan 23, 2006, at 10:26 AM, Eliot Lear wrote:
>> Eliot suggested list-servers (free email-address providers,
>> newsletters, e-invites, photo-kiosks, etc.) be picky about who
>> they allow to use their services, but did not provide a
>> description of that process.
> One obvious approach is to check the reputation of the applicant.
> But this may not be needed for all lists, particularly moderated ones.
Even a moderated list would likely not be able to ferret out messages
containing links that may, after being sent, transform into a website
for spam or perhaps offer browser exploits.
When you say the reputation of the applicant, are you suggesting
applications accompany a certificate to identify the individual?
Once messages have been signed, without an overlay strategy providing
a means to hold the receiving domain accountable for not protecting
signatures, controlling replay abuse demands perhaps impossibly rapid
revocation of keys or policies. The bad actor's strategy could
easily stage replays when the administrator is asleep.
A bad actor is able to obtain tens of thousands of free email-
addresses. Only negative reputations for email-address may perhaps
be safe to distribute, as any such list will also expose these email-
addresses to spam abuse themselves. Nevertheless, a negative
reputation is reactive after the fact. The reputation and associated
reactions will be too late to be effective to abate a blitz replay.
Messages will have been signed and can be disseminated in mass, well
beyond the control of the list-server.
More information about the ietf-dkim