On Sun, 2006-08-27 at 06:50 -0400, Damon wrote: > On 8/27/06, Frank Ellermann <[EMAIL PROTECTED]> wrote: > > Douglas Otis wrote: > > > > > Look-alike exploits exist without designated domains. > > > > Sure, but they sail under their own look alike flag. They can't > > "steal" the reputation of an ISP with millions of zombies for > > their criminal purposes. Admittedly that reputation won't be > > good, but still better than "eboy" = "unknown stranger". > > > How is this any different than what we are doing with reputation > systems based on IP right now?
There seems to be some concern about accountability either shifting or not shifting to the designated domain. As this domain can not be verified, this shift should not occur. Any annotations being placed upon a DKIM message should indicate two things at least. - Signing/From Domains Match - Valid Address is in Address Book > > > Seldom does less information improve security however. > > > > Make sure that "eboy" is treated as the "unknown stranger" it > > is, even if isp.example.com signed it, and there's no problem. > > An eboy-SSP trying to change this should be ignored. > > Basing reputation on key provider wouldn't be prudent. If I were a > less than honorable person, I would send all my spam using someone > with a good reputation (goodrep.com) as my DSD. My sig fails because I > purposely munged it, there is no policy saying that this should > definitely be rejected. Because goodrep.com can not publish all of the > domains that it signs for, it is helpless to do anything about this. Only the signing domain can be safely held accountable. ISPs are being used to send spam and DKIM does not change this problem. A DKIM signature does enable better noise-free reporting to help address the issue. The provider must still disable abusive accounts as they are reported. Companies offer a free scrub for their customers when they are infected. The provider still must be diligent. DKIM helps from the reporting side. The 2822.From can not be held accountable as it can not be verified as being culpable. A designated domain involves trusting the signing domain. Trust alone can not be defended with respect to reputation. -Doug _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html