[ietf-dkim] Blocking/Restritive-Policy vs
Annotation/Associative-Policy
Douglas Otis
dotis at mail-abuse.org
Fri Dec 8 15:33:37 PST 2006
On Dec 8, 2006, at 3:05 PM, Hector Santos wrote:
>>>> Blocking via policy definitely does _not_ offer much in the way
>>>> of protection, but will require a significant level of support
>>>> explaining why various messages are being rejected.
>>>
>>> It will?
>>>
>>> - A domain does not expect mail. Pretty good protection
>>> - A domain requires mail to be sign. Pretty good protection
>>
>> Only when message originators are recognized and verified by the MUA,
>
> Nope, once again, MUA are not required. I can do the above easily
> at the MDA.
Is viewing the display name protected by this effort?
Is receiving non-ASCII email-addresses protected by this effort?
Are look-alike and cousin-domains prevented?
What happens when a domain wishes to allow users use of a mailing-
list? Should they setup different domain names, or use a sub-
domain? How will increased domain names of the same entity better
allow a recipient to detect a spoof?
You can not offer "pretty good protection" at the MTA based upon
policy blocking. Simple schemes remain where your customers continue
to be spoofed. Annotation at the MUA can prevent these schemes,
works with non-ASCII email-addresses, prevents look-alike and cousin
domains exploits, and permits the use of mailing-lists without
additional domain names.
Policy based blocking is not a desirable feature when it will likely
make the situation worse at substantial costs to resources.
-Doug
More information about the ietf-dkim
mailing list