-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > I'm expecting that non-DKIM software will "squint at the message" > anyway. SSP is an input to that process. By "Throw your hands up > in the air," I gather you mean, "the result of the SSP check is > indeterminate," and yes, that is an option too. I don't think > that's a very good option, because it means that an attacker can > defeat SSP simply by adding an additional From address to a message.
That is indeed what I mean, and I agree that it is suboptimal. However, if an attacker "defeats" SSP this way, but SpamAssassin adds three asterisks to the message because statistically, only an attacker would put two "From"s in a message, then all is good. You're absolutely right, but if I as a sender know that multiple "From"s will gank SSP, then I won't do it on my important mailings. The very presence of multiple "From"s is an indication that this is a hacked message. No crypto, no DNS is needed at all. Yes, I know that multiple "From"s is a charming, somewhat useful feature that's a legal part of the email infrastructure. It would be sad for it to whither away. But as we have already seen, its reliability is dodgy (the test got to me just fine, using Mail.app). There are other legal parts of the email infrastructure that have withered away as well. (E.g. the syntax <user>@<tld> is legal. I happen to have an @AI forwarder that matches my old account on MIT-AI from the late '70s; most software incorrectly thinks that [EMAIL PROTECTED] is not a legal email address.) There are parts that have withered away that in my opinion shouldn't have. (E.g. I still think that collapsing " at " into "@" was a mistake, but I'm like that.) Tough. Times change. Entropy happens. Embrace the suckiness. SSP is an important, valuable, *optional* part of the email infrastructure. If SSP and multiple "From"s interact badly in ways we can't fix easily, then just put in a note that says so. Or put in a note that says that an evaluator MAY consider mulitple "From"s as a hack on SSP. State it in draftese. Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 2.6.3 Charset: US-ASCII wj8DBQFHl4kxsTedWZOD3gYRAkZnAJ9ZFdvAJMC5Vfo2vut0Gb47pm9bFACeI8Iw a7e8pKfXlYU6u6i/CokQZTs= =O4co -----END PGP SIGNATURE----- _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html