On Tue 15/Aug/2023 08:10:23 +0200 Bron Gondwana wrote:
On Thu, Aug 3, 2023, at 15:50, Michael Thomas wrote:
Barry Leiba <barryle...@computer.org> Tue, 01 August 2023 18:40 UTC
I do think the background is important to publish separately for this
work, however easy the problem is to describe.
It's because "replay" is a bogus concept and was discussed and rejected long ago. There
is no solution. "Replay" is just a normal consequence of the email architecture.
[...]
If you don't want a bad reputation for spam, don't sign spam.
[...]
There is far too much financial interest going on here at the expense of ordinary users of email and the profiteers in the industry and their consultants. Don't send
spam. Spend your money figuring that out. Problem solved.
"Problem solved."
As someone who has, as a person running a service with a large number of
customers who can send email, ...
If you can provide me an accurate definition of spam which is not recipient
specific and is actionable, I'd love to see it. Even if we could,
theoretically, vet every single customer sufficiently to make sure they're all
well behaved people who never send spam, the probability that we can also
ensure that their accounts are never compromised, their devices are never
compromised, such that they never send anything spammy. It's quite
intractable, broad dismissive claims notwithstanding.
I won't try a definition. However, I think it's easier to try a definition of
spammer. Probably we can stand the crowd of unintentional spammers whose
account or device was compromised, or who innocently tried to sell their goods.
The bulk of actual spam is apparently authored by people who knows what
they're doing. Take this as a definition. Is it actionable?
We've love to not sign spam at all, but short of never allowing users to send email, it's
not actually possible. We're not trying to "accomodate sites that send spam",
we're trying to minimise the blast damage of a message that a bad actor manages to get
signed - because that reduces that value of getting such a message stamped with a
signature, and that reduces the amount of spam.
Still, knowing that he's a bad actor, you could skip signing. Are there so
many new spammers every day? Or, rather, there is a bunch of professional
spammers who know how to hide?
The whole concept of domain authentication is questionable if domains have no
idea who their users are.
Best
Ale
--
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim