On 2/12/23 1:34 PM, Murray S. Kucherawy wrote:
On Fri, Feb 10, 2023 at 2:13 PM Michael Thomas <[email protected]> wrote:
Another thing that should probably be discussed is outbound spam
filtering. At a high level, this is really about the sender
sending spam. But email afaik is silent on whether senders or
receivers should filter for spam (and if there is, it would be
good to reference it). Sender filtering is especially pertinent
and may well have clues of how a sender can mitigate it. A
breakdown of how spammers defeat that outbound filtering would be
really useful. For example, is the spam intended for mailboxes on
the sending domain (eg, gmail)? Or do they go through a two stage
process where they first get the spam through the sender, and then
test it on the intended receiving domains? All of that would be
really helpful.
I think it's sufficient for us to acknowledge that, in either
direction, no spam filter is 100% accurate. It can be tempting to say
"You shouldn't sign spam, and if you do, you're the problem", but I'm
sympathetic to those in that business who are faced with the reality
that they'll never get it 100% right. Instead, I think we have to
accept that reputable signers will occasionally be tricked into
signing spam, and the goal then is to try to develop some new signal
that can be provided to verifiers to handle those cases.
The problem statement document proposed for the WG does spell this
out, I think. What do you find missing in terms of the details? Some
of the nitty gritty probably varies from one email provider to the
next, for example.
It didn't exactly call it out? It called out outsourced outbound
filtering I thought, but that's just acknowledging that it exists? Or
did I miss something?
Maybe what's needed is essentially what you wrote.
"while senders intent on keeping a good reputation must filter outbound
mail for spam and other abuse, these filters are not 100% effective."
Basically saying if you're not filtering outbound mail for abuse, you're
part of the problem.
Mike
_______________________________________________
Ietf-dkim mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ietf-dkim
