On 11/28/2022 2:40 AM, Laura Atkins wrote:
On 27 Nov 2022, at 18:48, Dave Crocker <d...@dcrocker.net> wrote:
On 11/26/2022 5:38 PM, Jim Fenton wrote:
Not Safe: It’s not safe because it breaks Barry’s use case above,
and others have pointed out MUA usage of the signature.
DKIM signature survival after delivery is not a goal for DKIM. If you
feel otherwise, you are seeking an expansion of DKIM's purpose.
This is actually the first I’ve heard this asserted. Do you have some
history to back this up?
Please see the later postings that discussed this.
By way of example, open SMTP relays were deemed unacceptable. And
they still are. Broadly speaking, having receivers remove the DKIM
signature is a version of the same design thinking.
Or perhaps you think open relays are ok, since, after all, attackers
can easily circumvent this?
This seems unreasonably snarky and a personal attack.
The suggestion is for a small, simple, easily-adopted mechanism that
closes off some venues from facilitating this form of abuse.
Rather than consider it in those terms, it has engendered surprisingly
vehement and problematic criticisms. This gets frustrating.
The comparison to open relays is, IMO, appropriate. Consider the kinds
of arguments against this proposal being applied to the suggestion to
close open relays. One would wish for less heat and more thoughtful
deliberation.
We should move onto better ideas.
Or, we might have thoughtful discussion, that engages carefully with
the substance, before discarding suggestions.
I’m not sure why you have settled on stripping the DKIM header as the
solution, but it’s not going to be. It’s not even going to slow the
folks using DKIM replay down (hint: most of the evidence I’ve seen
shows that the attackers are ALREADY using their own MTAs to receive
the emails). Multiple people have explained why this isn’t a solution.
There’s no point in wasting time on a discussion. Let’s move on to
something that will actually address the problem.
I have not settled on the proposal as 'the' solution. I was clear about
this. That you read otherwise demonstrates the problem with how the
proposal is being dismissed out of hand.
The other is the certitude of its uselessness. cf, open relays.
[1] I’m not sure where or why this myth that “spammers won’t pay for
anything”
Since no one said any such thing, I don't know where the myth it has
been said came from.
and “a small incremental cost is sufficient to stop spammers from a
particular technique” came from.
I thought spammers varied in skills and dedication and that simple
mechanisms that blocked lazy spammers was generally viewed as being
useful. Apparently that has changed, and now all spammers are highly
skilled, dedicated and well-funded?
I’ve been on the phone with spam gangs who are spending tens of
thousands a month on infrastructure and running custom code and doing
BGP tricks to avoid port25 blocking and a whole host of other things
that cost money, time and other resources.
Probably a good thing, then, that there was no suggestion this proposal
would stop all replay spammers.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
