On Fri, Feb 10, 2023 at 1:48 PM Michael Thomas <m...@mtcc.com> wrote:
> > On 2/10/23 10:23 AM, Wei Chuang wrote: > > Hi all, > I've posted an updated version of the draft-chuang-dkim-replay-problem-01 > <https://datatracker.ietf.org/doc/draft-chuang-dkim-replay-problem/01/> > draft. It cleans up a lot from the -00 rough draft state so hopefully it's > more clear. It builds a case that spammers are exploiting DKIM through > replay, identifies conflicting scenarios, and outlines a solution space. > > -Wei > > PS Many, many thanks goes to Dave Crocker for his editorial advice. > > _______________________________________________ > Ietf-dkim mailing > listIetf-dkim@ietf.orghttps://www.ietf.org/mailman/listinfo/ietf-dkim > > > | When large amounts of spam are received by the mailbox provider, the > | operator’s filtering engine will eventually react by dropping the > | reputation of the original DKIM signer. > > > I think this needs some amount of justification. It's really easy to hand > wave this and it's certainly a common assumption, but it's not a given. > What exactly does "dropping the reputation" actually mean in practice? Does > it mean for certain senders, certain classes of senders, the whole sending > domain? How are such drops weighted? What are plausible metrics the > receiver might use? One mailbox sending a lot of spam but otherwise the > sending domain seems to be behaving well, seems pretty relevant to the > topic. > > This is especially true if a BCP gets written here. The problem statement > should be as specific as it can be about why it's hard for receivers to > overcome this problem. If there's a lot of proprietary stuff that can't be > talked about, then it's pretty impossible to put together a BCP since we > collectively have no idea what those practices are. > > I think this really goes to the heart of what's going on here. > > Mike > > Agreed there is a certain amount of hand waviness and things have to be described abstractly as various black boxes in the system due to their proprietary nature. But I think it is necessary to mention them to motivate the deliverability aspect of the problem i.e. why it is impacted, to provide some intuition for the problem space. Similarly how DKIM replay impacts the utility of email to the end users. I think we would agree that there is a preference for a deterministic DKIM replay solution and avoid reputation systems where possible. -Wei > _______________________________________________ > Ietf-dkim mailing list > Ietf-dkim@ietf.org > https://www.ietf.org/mailman/listinfo/ietf-dkim >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim