> On 15 Aug 2023, at 12:36, Alessandro Vesely <ves...@tana.it> wrote: > > On Tue 15/Aug/2023 08:10:23 +0200 Bron Gondwana wrote:
>> "Problem solved." >> As someone who has, as a person running a service with a large number of >> customers who can send email, ... >> If you can provide me an accurate definition of spam which is not recipient >> specific and is actionable, I'd love to see it. Even if we could, >> theoretically, vet every single customer sufficiently to make sure they're >> all well behaved people who never send spam, the probability that we can >> also ensure that their accounts are never compromised, their devices are >> never compromised, such that they never send anything spammy. It's quite >> intractable, broad dismissive claims notwithstanding. > > I won't try a definition. However, I think it's easier to try a definition > of spammer. Probably we can stand the crowd of unintentional spammers whose > account or device was compromised, or who innocently tried to sell their > goods. There’s a lot of mail that can come out of a compromised account or device, so I’m not sure it’s something “we” can stand but I’m not sure that’s important. A compromised account can be shut down by the outbound sender. The device is harder - look at what’s going on with the IoT devices acting as open proxies / relays / sources of mail. But, in any case, that’s a different problem than what we’re dealing with here. > The bulk of actual spam is apparently authored by people who knows what > they're doing. Take this as a definition. Is it actionable? I do think we have to consider intent here. Replay spam, specifically, is intended to bypass anti-spam rules at the signing organization. The whole reason the mail is being signed by a reputable ESP but sent through a different infrastructure is because the reputable ESP will shut down the account. If we go old school: spam is the same thing many times. There was even an article written by someone who said they could ID forum spam even when they didn’t speak the language because it was the same thing repeated many times. (If it’s useful I’ll see if I can track that article down.) >> We've love to not sign spam at all, but short of never allowing users to >> send email, it's not actually possible. We're not trying to "accomodate >> sites that send spam", we're trying to minimise the blast damage of a >> message that a bad actor manages to get signed - because that reduces that >> value of getting such a message stamped with a signature, and that reduces >> the amount of spam. > > Still, knowing that he's a bad actor, you could skip signing. Are there so > many new spammers every day? Or, rather, there is a bunch of professional > spammers who know how to hide? How do you know he’s a bad actor before he does a bad action? That’s the crux of the problem: the bad actor looks very much like a not-bad actor. You can’t generally tell the difference between the two until after the bad action has happened. In fact, the bad actor is often going to try and look as much like a not-bad actor as possible. That doesn’t mean they can’t be tracked. They are, and many of them get shut down based on patterns and vetting and a lot of things. But the reality is: bad-actors are going to get through every process. If we could ID spammers up front and stop them from spamming we’d very likely have done it already. In this case, they’re using DKIM in a way that was forseen by the original authors but not treated as something that needed to be addressed in the protocol. I’ve been thinking about the description of a replay attack and how to describe it. I don’t like the wording here, but I think it might have legs conceptually. In a DKIM replay attack, the attacker sends filter evading mail through the victim domain for rebroadcast through infrastructure owned / controlled by the attacker. The outcome of the attack is that the good domain reputation of the victim domain results in better mail delivery for the attacker than using domains they own or control. There might be a plact, too, to describe the effects on the victims. Sender victims have mail they wouldn’t normally allow out in volume impact their reputation. Mailbox provider victims have their anti-spam defenses compromised. Individual user victims have more spam in their inboxes. laura (participating) -- The Delivery Expert Laura Atkins Word to the Wise la...@wordtothewise.com Delivery hints and commentary: http://wordtothewise.com/blog
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
