On 12/12/22 12:11 PM, Evan Burke wrote:
On Mon, Dec 12, 2022 at 11:21 AM Michael Thomas <[email protected]> wrote:
On 12/12/22 6:57 AM, Murray S. Kucherawy wrote:
On Sun, Dec 11, 2022 at 2:43 PM Michael Thomas <[email protected]> wrote:
But I want to return to my previous point of whether
reputation is even quantifiable, and whether somebody has
actually gone out and researched it. We can say that this is
a problem in theory, but do we have any data to back it up? I
kinda think that should be table stakes before talking about
rechartering.
The industry appears to think it's a factor. This work comes to
us from M3AAWG where there's a critical mass that believes
reputation abuse of this nature is real. Though I agree it would
be helpful to have metrics to describe it more precisely, it's my
perception that there's enough momentum here to back chartering.
So I take it they haven't quantified it either? This strikes me as
highly susceptible to using anecdotal evidence as proof. I'm not
saying they are wrong, I just would like to see actual evidence.
That's especially true if the end result is telling receivers they
should do something that they have no stake in.
I suspect that most of the organizations affected aren't positioned to
share the internal metrics that showed impact, but I can tell you from
experience the effects can be quite dramatic, and I've spoken to more
than a few people - also with direct experience - who would say the same.
These attacks were very narrowly targeted; the vast majority of DKIM
replay spam this year has been sent to just a few of the largest
consumer mailbox providers. In that context, lack of awareness of the
problem is a poor argument against trying to solve it.
If the solution to the problem results in taking away functionality
available for 15 years as some are recommending, I'd say that the onus
is on the people making the claims to actually back it up. From my
perspective this is all just hearsay. I think the larger community is
entitled to something more than that before doing anything.
I have good reason to be suspicious. That Google was one of the major
proponents of ARC which was supposedly to deal with the mailing list
problem but all boiled down to reputation that could already be done
with plain old DKIM suggests that reputation remains an unsolved
problem. Maybe it is just one side of the company not knowing what the
other side knows, but I find that rather unlikely. So there is a
contradiction somewhere here from where I sit.
Mike
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
