On Fri 01/Jun/2018 07:40:07 +0200 Roland Turner via dmarc-discuss wrote:
> On 31/05/18 23:13, Alessandro Vesely via dmarc-discuss wrote:
>
>> My filtering ability is visible to the people I forward to. Although targets
>> don't see what I spare them, they can imagine. If you receive spam from me,
>> you lower my reputation. Easy.
>>
>> OTOH, my good faith ARC signing has to be assumed. To prove the opposite,
>> you
>> start with a message I forward to you; say it ARC-claims I received it from
>> X.
>> Afterwards, you need to contact X and have them deny they ever sent it. A
>> rather impractical method, especially since you need an X such that you can
>> trust their word against mine. How come?
>>
>> Orthogonality is broken by mandating filter-before-forward. That way,
>> receivers of ARC-signed, obvious spam can infer that the corresponding ARC
>> signature is faked. The better the filtering, the stronger the trust, and
>> the
>> more evident will a possible ARC key compromise be. So, if you pardon my
>> geometry-fictional wording, the "trust not to lie in ARC signing/sealing"
>> gets
>> measured by assessing its projection onto the filtering axis.
>
> OK, I see what you're getting at (and therefore why you mentioned spam traps).
> As a [large] receiver, I would not be tackling it in this way at all, mostly
> because I don't get to ask any of the Xs what the truth is, but also because
> spam filtering and ARC signing really are largely orthogonal capabilities[1]
> (and to the extent that they're not, there's too much noise to make good use
> of
> the results). I would instead - to further extend the use of over-specified
> geometric analogies - be performing something akin to gravitational lensing:
>
> * For each of [tens of] thousands of domain names[2], I have from their
> email
> received directly an assessment of their expertise at ensuring that their
> email can be authenticated, broken down by stream (IP address, subnet,
> service provider, etc.).
> * For each forwarder, I can see how they're reporting authentication results
> for many of the same senders at the same IP addresses, assuming that SPF
> authentication results are included in ARC.
> * From this I can determine whether the forwarder is ARC-signing correctly.
> Note that this is different to comparing the forwarder's probabilistic
> spam
> filtering with my own; in the ARC-signing case there are correct actions
> and incorrect actions, and a large receiver has enough information to tell
> which a forwarder is doing.
>
>
> Note that none of these steps has any relationship with spam which - given
> that
> spammers can (and do) cause their email to authenticate, and legitimate
> senders
> can (and do) fail to do so - is as it should be.
>
> - Roland
>
> 1: Yes, it is likely that forwarders who are exceptionally good at spam
> filtering will tend to be really good at ARC signing, but most of the
> important
> information is about forwarders who aren't exceptionally good at filtering, so
> this correlation appears largely unimportant.
> 2: or registrants, to the extent that this information becomes available again
> once ICANN stops arguing absurdities in front of European courts and focuses
> on
> the actual problem
I see. As a small receiver, I didn't even think about comparing different
forwarders of the same senders. In my case, such coincidences only cover a
handful of trusted mailing lists. Your argument further confirms how ARC
better suits large receivers.
Thank you for a nice discussion
Best
Ale
--
___
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)