> On 12 Feb 2023, at 21:49, Michael Thomas <m...@mtcc.com> wrote: > > > > On 2/12/23 1:34 PM, Murray S. Kucherawy wrote: >> On Fri, Feb 10, 2023 at 2:13 PM Michael Thomas <m...@mtcc.com >> <mailto:m...@mtcc.com>> wrote: >> Another thing that should probably be discussed is outbound spam filtering. >> At a high level, this is really about the sender sending spam. But email >> afaik is silent on whether senders or receivers should filter for spam (and >> if there is, it would be good to reference it). Sender filtering is >> especially pertinent and may well have clues of how a sender can mitigate >> it. A breakdown of how spammers defeat that outbound filtering would be >> really useful. For example, is the spam intended for mailboxes on the >> sending domain (eg, gmail)? Or do they go through a two stage process where >> they first get the spam through the sender, and then test it on the intended >> receiving domains? All of that would be really helpful. >> >> I think it's sufficient for us to acknowledge that, in either direction, no >> spam filter is 100% accurate. It can be tempting to say "You shouldn't sign >> spam, and if you do, you're the problem", but I'm sympathetic to those in >> that business who are faced with the reality that they'll never get it 100% >> right. Instead, I think we have to accept that reputable signers will >> occasionally be tricked into signing spam, and the goal then is to try to >> develop some new signal that can be provided to verifiers to handle those >> cases. >> >> The problem statement document proposed for the WG does spell this out, I >> think. What do you find missing in terms of the details? Some of the nitty >> gritty probably varies from one email provider to the next, for example. >> > It didn't exactly call it out? It called out outsourced outbound filtering I > thought, but that's just acknowledging that it exists? Or did I miss > something? > > Maybe what's needed is essentially what you wrote. > > "while senders intent on keeping a good reputation must filter outbound mail > for spam and other abuse, these filters are not 100% effective." > > Basically saying if you're not filtering outbound mail for abuse, you're part > of the problem. > I don’t see how that’s relevant to the discussion here.
Most of the outbound mail is not detectable as spam (it’s not sent in bulk and it is sent to opt-in email addresses). So it won’t catch the send-one-message-to-myself case. If we’re looking at linking to spam landing sites, it’s trivial for the site to show one thing during the initial send and then be a wholly different site when it’s sent by the spammer. The issue at hand is: can we tighten up the DKIM protocol to make it more resistant to replay attacks? Telling the victims that the problem is they’re not doing outbound filtering isn’t helpful, nor does it address the problem. Expecting the spammer to do outbound filtering doesn’t seem to be a useful pathway. If we could convince spammers to outbound filter their spam we’d have solved the problem. laura -- The Delivery Experts Laura Atkins Word to the Wise la...@wordtothewise.com Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
