[ietf-dkim] Clarifying DKIM (etc.) expectations for mailing lists in the face of digests
dotis at mail-abuse.org
Wed Aug 4 15:24:50 PDT 2010
On 8/4/10 2:01 PM, John Levine wrote:
>> There's a scenario where a spammer/phisher sets up a mailing list,
>> adds a bunch of addresses to the list and then sends a message with a
>> paypal.com From: address through the list. The DKIM signature will
>> obviously be invalid, but a MTA/spam filter won't be able to decide
>> whether this is because the message didn't really come from Paypal,
>> or because it did but the mailing list broke it.
> I don't see how this poses any new problems.
> If you believe in ADSP or manual drop lists, you drop the message
> because it's from paypal.com and it's unsigned. I think we can expect
> that we won't see any real paypal.com mail coming through lists.
Clearly, paypal.com did not initially internalize the significance of
ADSP dkim=discardable. Perhaps now they have. I seriously doubt they
were alone in that regard. It is not inconceivable that A-R headers
were seen as a remedy that might allow such use. There are many
similar companies where employees exchange messages using the
recognizable domain of their organization. ADSP dkim=discardable is not
a guarantee of messages never reaching an informal mailing list, and the
appendix in RFC5617 only alluded to problems caused when the Author
Domain signature is not valid.
> Otherwise, it's just spam. Does anyone treat List-ID: or other list
> headers as a not-spam indicator unless it's from a list that you have
> reason to think has local subscribers? I certainly don't.
Most people are unable to deal with the typical email volumes generated
by informal mailing lists, without reliance upon message sorting. In
such a case, it seems unlikely a recipient would consider sorted mail as
representing some type of individual transaction. A message considered
to have been emitted from an informal mailing-list is unlikely effective
as a phishing lure, where most lists will also unsubscribe members who
make unrelated solicitations.
While phishing remains a serious matter, disruptions created by ADSP
should be resolved by modifying its assertions in a manner still
effective against phishing. A community compiled list of informal
third-party services could greatly facilitate these efforts.
More information about the ietf-dkim