On August 9, 2023 3:15:36 AM UTC, Jesse Thompson <z...@fastmail.com> wrote: >On Tue, Aug 8, 2023, at 6:37 AM, Scott Kitterman wrote: >> On August 8, 2023 10:18:58 AM UTC, Laura Atkins <la...@wordtothewise.com> >> wrote: >> >> On 6 Aug 2023, at 19:07, Jesse Thompson <z...@fastmail.com> wrote: >> >> >> >> On Sat, Aug 5, 2023, at 6:50 AM, Laura Atkins wrote: >> >>>> On 5 Aug 2023, at 02:43, Jesse Thompson <z...@fastmail.com >> >>>> <mailto:z...@fastmail.com>> wrote: >> >>>> >> >>>> On Thu, Aug 3, 2023, at 11:08 AM, Laura Atkins wrote: >> ... >> >>> >> >>> A big driver of the work is actually Google. As I understand it, they >> >>> are having issues because the replay attackers are successfully stealing >> >>> reputation of otherwise good senders in order to bypass some spam >> >>> filtering. The replay attackers aren’t sending what we commonly think of >> >>> as spam through the signers - as the message is sent to one recipient >> >>> (not bulk) and it is opt-in (that recipient wants and has asked for the >> >>> mail). >> >> >> >> This is accurate from my observation. It takes only a single message >> >> which evades content filters, and the attacker is the first recipient, >> >> who will not report it as abuse. >> >> >> >> Which is why an earlier "just don't send spam" comment seemed to be >> >> borderline FUSSP rhetoric. If the message isn't detected by the receiver >> >> (who has the most visibility into the type of mail its users want to >> >> receive) then how can a sender be held to a higher standard of detection >> >> with less visibility? >> > >> >I agree wholeheartedly. I just wanted to make it clear for the record that >> >this isn’t an issue of the signer knowingly signing spam and “deserving” >> >any reputation problems. >> ... >> >> Intent has nothing to do with it. Reputation is what you do, not what you >> intend. > >I think we can agree that spammers will always exist because they are a >societal problem. Societal problems can't be completely solved with >technology. Spammers will find ways to leverage the technologies we build to >leverage in their ill will. DKIM didn't intend to give a haven for spammers to >hide behind DKIM signers, but that's what it does. DKIM replay is a problem >that is going to persist as long as society has spammers. Yet, DKIM isn't >designed to solve spam problems. It conveys identifiable and verifiable >information. DKIM signers will not be able to identify 100% of what a receiver >will consider spam, but they can provide additional verifiable information for >receivers to interpret into their disposition. >
I think that very much depends on the type of sender. For a corporate domain with good security practices, spam sending can and should be extraordinarily rare. A premium service provider will probably not be able to do as well, even if they invest in knowing their customers. A low cost/free provider will probably do less well yet. I would expect each of these types of domains to have (appropriately) different reputations. Yes, probably no one is 100% on this over an extended period of time, but that doesn't mean that it's hopeless. I very much disagree with the idea that DKIM provides a haven for spammers. It may be that receivers are over-valuing a good DKIM signature, but I expect they will adjust (recent discussions on this list point in that direction). Scott K _______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim