[ietf-dkim] list vs contributor signatures, was Wrong Discussion
iane at sussex.ac.uk
Fri May 7 08:30:52 PDT 2010
--On 4 May 2010 16:09:28 +0000 John Levine <johnl at iecc.com> wrote:
>>> I agree it's hypothetically possible, but have you ever seen an actual
>>> need for this in practice, a list where the recipients filter out
>>> messages that a more competently managed list would have rejected?
>> I've seen spam posted to mailing lists. Recently, I've seen lists
>> targetted in more intelligent ways by spammers. For example, by using
>> sender addresses in the domain of the list (quite a useful way of
>> attacking academic lists, which tend to have lots of local users, but
>> some non-local).
> I believe it. Are you saying the list managers make no effort to keep
> the spam out of their lists?
No, but I don't think it's their job. As the site manager, that's my job in
general. What the list managers can add is access controls, and
authentication helps to improve the utility of such controls.
> Remember that every change to list
> software that might be useful to let recipients identify spam that
> leaks through a list could be used to keep the spam from leaking in
> the first place. Why go to extra effort to push the work out to the
I'm not advocating extra effort to push the work out. I am advocating
leaving in place information that recipients may (or may not) wish to use.
> Also, re your other discussion about list authentication, you're
> right, we don't know what authentication lists do on their
> contributors, but DKIM doesn't help there since DKIM most definitely
> never says that the From: address is "real".
"real"? A signature from the sender domain at least says that if it's not
real, that's the responsibility of the sender domain owner, doesn't it?
Then reputation services come into play. Which is where the answer to your
first question comes in - the end recipient may have a very different view
of the reputation of the sender than does the list. Or, it may wish to use
the message content to modify its reputation score for the sender.
> If you want strong
> sender authentication, we already have S/MIME, and I wouldn't be
> surprised if there were list software that could use it.
IT Services, University of Sussex
For new support requests, see http://www.sussex.ac.uk/its/help/
More information about the ietf-dkim