On 2/13/23 2:49 AM, Laura Atkins wrote:
Basically saying if you're not filtering outbound mail for abuse,
you're part of the problem.
I don’t see how that’s relevant to the discussion here.
It's extremely relevant. If you don't want to be viewed as a spamming
domain, do your part to not send spam. This really isn't rocket science.
Most of the outbound mail is not detectable as spam (it’s not sent in
bulk and it is sent to opt-in email addresses). So it won’t catch the
send-one-message-to-myself case. If we’re looking at linking to spam
landing sites, it’s trivial for the site to show one thing during the
initial send and then be a wholly different site when it’s sent by the
spammer.
According to some others here, the spammers have to go to elaborate ends
to not have it detected as spam. I don't recall if they specified
whether it was incoming or outgoing (or both) that they needed to evade.
The issue at hand is: can we tighten up the DKIM protocol to make it
more resistant to replay attacks? Telling the victims that the problem
is they’re not doing outbound filtering isn’t helpful, nor does it
address the problem. Expecting the spammer to do outbound filtering
doesn’t seem to be a useful pathway. If we could convince spammers to
outbound filter their spam we’d have solved the problem.
Er, huh? It's the sending provider who should be doing outbound
filtering, not the spammer. And sorry, if you want to keep your
reputation as a sender up and you're not doing outbound filtering you
really have nobody to blame but yourself. You're essentially an open relay.
Mike
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim