> From: Gary Mills > The other > extreme would be an organization that specializes in spam and uses > DKIM signatures for their e-mail. In that case, I'd like to reject > all of their e-mail, validated or not. That seems way too easy. Why > would such a company admit to sending spam and also use DKIM > signatures?
You might also ask why so much spam has valid SPF records and why some spam appears to have good PKP signatures. I think that is because many people drank deeply of the sender-authentication-as-FUSSP koolaid. Recall that SPF was originall sold to statisfy the widespread demand for authentication as the Final Ultimate Solution for the Spam Problem. SPF, DKIM, etc. are now sold as anti-forgery tool to ease the maintenance of manual whitelists like your "reputation database," but there are still many people who "think" that those or some yet to be invented sender authentation mechanism will solve the spam problem. Spammers that choose to send from their own IP addresses instead of botnets, broken PHP server, open SMTP relays, etc. have always included a practically unforgeable token of their identity with their spam. The sending IP address for email cannot in practice be forged, because even before RFC 1948 support became a check-list item, a Mitnick attack was far too expensive per successful TCP connection to be used for advertising. Spammers that prever to comply with laws, whether the CAN-SPAM Act or computer crime laws, lose nothing by including additional sender authenticators with their IP addresses and might gain access to mailboxes operated by the authentication as FUSSP brigades. At worst some people who would otherwise spend the effort to blacklist the spammers' IP addresses and complain to ISPs will in effect add quietly themselves to one of those expensive "suppression lists." Besides, what you call "an organization that specializes in spam" might be what others call a "permission based email advertising agency" that has won a Google or Microsoft auction for the right to send some advertising to mailboxes run by a mail provider that uses SPF, DKIM, or whatever to ease the maintenance of a whitelist. Whitelisting by IP address is technically perfectly sufficient, but like blacklisting by IP address, can need a lot of manual maintenance. ............... } > >>Does that header change depending on the sender? } > } > At the moment, yes, eventually no. We're hashing out the spec in a group } > down the virtual hall from the DKIM group. } } If they're all the same, which I assume means that the e-mail domain } of the sender will no longer appear in the header text, DCC clients } won't be able to treat different e-mail domains differently. You might refuse to update your dkim-milter code to future versions that is compliant with whatever the DKIM Group decides. You could modify future versions to have current behavior. Or perhaps you could convince the code's maintainers to include support the current behavior as an option. Or maybe future versions of the dkim-milter code will add some other header, perhaps mandated by the future standard, that varies with the sender but is constant among all messages from a given sender. Vernon Schryver [EMAIL PROTECTED] _______________________________________________ DCC mailing list [email protected] http://www.rhyolite.com/mailman/listinfo/dcc
