On Fri 01/Jun/2018 07:40:07 +0200 Roland Turner via dmarc-discuss wrote: > On 31/05/18 23:13, Alessandro Vesely via dmarc-discuss wrote: > >> My filtering ability is visible to the people I forward to. Although targets >> don't see what I spare them, they can imagine. If you receive spam from me, >> you lower my reputation. Easy. >> >> OTOH, my good faith ARC signing has to be assumed. To prove the opposite, >> you >> start with a message I forward to you; say it ARC-claims I received it from >> X. >> Afterwards, you need to contact X and have them deny they ever sent it. A >> rather impractical method, especially since you need an X such that you can >> trust their word against mine. How come? >> >> Orthogonality is broken by mandating filter-before-forward. That way, >> receivers of ARC-signed, obvious spam can infer that the corresponding ARC >> signature is faked. The better the filtering, the stronger the trust, and >> the >> more evident will a possible ARC key compromise be. So, if you pardon my >> geometry-fictional wording, the "trust not to lie in ARC signing/sealing" >> gets >> measured by assessing its projection onto the filtering axis. > > OK, I see what you're getting at (and therefore why you mentioned spam traps). > As a [large] receiver, I would not be tackling it in this way at all, mostly > because I don't get to ask any of the Xs what the truth is, but also because > spam filtering and ARC signing really are largely orthogonal capabilities[1] > (and to the extent that they're not, there's too much noise to make good use > of > the results). I would instead - to further extend the use of over-specified > geometric analogies - be performing something akin to gravitational lensing: > > * For each of [tens of] thousands of domain names[2], I have from their > email > received directly an assessment of their expertise at ensuring that their > email can be authenticated, broken down by stream (IP address, subnet, > service provider, etc.). > * For each forwarder, I can see how they're reporting authentication results > for many of the same senders at the same IP addresses, assuming that SPF > authentication results are included in ARC. > * From this I can determine whether the forwarder is ARC-signing correctly. > Note that this is different to comparing the forwarder's probabilistic > spam > filtering with my own; in the ARC-signing case there are correct actions > and incorrect actions, and a large receiver has enough information to tell > which a forwarder is doing. > > > Note that none of these steps has any relationship with spam which - given > that > spammers can (and do) cause their email to authenticate, and legitimate > senders > can (and do) fail to do so - is as it should be. > > - Roland > > 1: Yes, it is likely that forwarders who are exceptionally good at spam > filtering will tend to be really good at ARC signing, but most of the > important > information is about forwarders who aren't exceptionally good at filtering, so > this correlation appears largely unimportant. > 2: or registrants, to the extent that this information becomes available again > once ICANN stops arguing absurdities in front of European courts and focuses > on > the actual problem
I see. As a small receiver, I didn't even think about comparing different forwarders of the same senders. In my case, such coincidences only cover a handful of trusted mailing lists. Your argument further confirms how ARC better suits large receivers. Thank you for a nice discussion Best Ale -- _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
