[ietf-dkim] draft-ietf-dkim-ssp-02.txt Discardable/Exclusive

[Steve Atkins]

On Feb 8, 2008, at 12:18 PM, MH Michael Hammer (5304) wrote:
>>
>>
>> It's an assertion that the sender would prefer that the
>> recipient not deliver some small fraction of legitimate email
>> as well as some small fraction of illegitimate email, rather
>> than delivering those small fractions of legitimate and
>> illegitimate email.
>>
>
> I'm not sure that I would agree with framing it as "some small  
> fraction
> of illegitimate email". Tracking phishing attacks against our brands
> since we have started signing, a receiver checking DKIM and/or SPF  
> would
> have easily identified 100% of those fraudulent emails.

You're tracking at the wrong thing then, clearly.

Checking my personal mailbox for mails using your brand:

From: AmericanGreetings.com <duhv at mailcity.com>
From: americangreetings.com <yks at mcelectric.com>
From: "americangreetings.com" <art at jeri.com>
From: "AmericanGreetings.Com" <nceg at planet.nl>
From: "americangreetings.com" <zzp at kent.edu>
From: "AmericanGreetings.Com" <bxe at 37.com>
From: "AmericanGreetings.Com" <uubx at bergercpa.com>
From: "AmericanGreetings.Com" <hvxi at shwgroup.com>
From: "americangreetings.com" <alht at motoconcess.com>

There were also dozens of other mails that used the  
americangreetings.com brand in the body or subject of the message, but  
not in the From: field.

So, in the data I'm looking at, the "small fraction of illegitimate  
mail" that would have been caught by SSP or anything similar would be  
0%.

(None of the americangreetings related stuff is actually "phishing",  
of course, but many of the issues are quite similar to those of brands  
that actually are phished).

>> In the senders opinion, it is more important that mail
>> claiming to be from them not be delivered than for it to be  
>> delivered.
>>
>
> I think a more appropriate phrasing would be:
>
> "In the senders opinion, it is more important that mail claiming to be
> from them and not conforming to certain parameters not be delivered  
> than
> for it to be delivered - even at the risk of some legitimate mail  
> being
> discarded."

That's a less clear way of saying much the same thing. You want  
recipients to not deliver some small subset of the mail that uses your  
brand without your permission, even at the cost of not delivering some  
small subset of mail using your brand with your permission.

>> The english meaning of "discardable" matches the semantics
>> pretty well. If we want implementors to easily understand and
>> deploy the specification, and more importantly the limits of
>> them doing so, thats fairly important.

Cheers,
   Steve