[ietf-dkim] Re: 1: 1 and assertions about third parties

John L johnl at iecc.com
Thu Jan 17 20:58:34 PST 2008


>> My expectation is that a large majority of domains that would publish 
>> strict SSP policies would be small mail systems with no more forgery 
>> problems than anyone else, but an exaggerated idea of their own importance. 
>
> I'm sorry, but is it just your peevishness about their perceived
> self-importance? What difference does it make if they aren't as
> important as they think they are? How is that negatively affecting
> you?

My understanding is that the point of publishing SSP is to help mail 
recipients filter their mail better, where the only useful meaning of 
better is that it makes the recipient users happier.  (I see occasional 
claims that the purpose of SSP is to permit senders to make statements 
regardless of whether they're useful to anyone else.  If that's the case, 
we need to document it better but you can ignore the rest of this 
message.)

Senders' opinions about third parties aren't useful in making filtering 
decisions.  In the example above, what happens when a user of such a 
domain sends mail through a mailing list and the signatures break?  If you 
believe the strict SSP, you throw away perfectly good mail, making users 
unhappy.  Well, OK, perhaps you adjust your rules to whitelist mail from 
known mailing lists.  But now what about a domain like Paypal that you 
know (not from SSP) is both heavily forged and doesn't send mail through 
lists?  My filter rules dump anything not sent directly from Paypal, list 
or no list.  But how can SSP help us distinguish the Paypals from the 
self-importants?  It can't, and there are clearly far more inept mail 
system managers than Paypal-style mega-phish targets.

It's fine to publish statements about what you actually do.  "I sign 
everything" is fine, a sender controls that.  Perhaps "I don't send mail 
through lists" would be useful, again, a sender can control that.  But 
"I'm a phish target" or "broken signatures are forgeries" or anything else 
that purports to describe what other people do isn't useful, because the 
guy making the statement doesn't know any more about it than anyone else 
does.  For the vast majority of domains, I suspect that AOL and Hotmail 
and other large inbound mail systems have much better data on how much

R's,
John

PS: I say this even though I happen to be a moderately signficant forgery 
target.  Every day abuse.net gets over 300,000 bounces of spam it didn't 
send, but I don't see why anyone who doesn't already know me would take my 
word for it.


More information about the ietf-dkim mailing list