On 4/29/08, J D Falk <[EMAIL PROTECTED]> wrote: JD, thanks. This is very insightful.
> > OK, let's assume ADSP has no "tree walking" or "subzone inheritance" > > feature. A sender is sending legitimate mails with > > customercare.bigbank.com with DKIM and an ADSP policy. If a phisher > > sends mail with a PRA of customer-care.bigbank.com, that would not be > > signed, and it would not fall under any ADSP policy. > > > > In your perfect world, as an imaginary receiver, how would you discern > > between the two sets of messages? > > That's easy: any string comparison will tell you that > customercare.bigbank.com != customer-care.bigbank.com. So, assuming no > treewalking assumption in my reputation system, they'd each have > entirely separate reputations. > > But reputation is never based solely on one tiny bit of information -- > I'd also check to see if the domain exists. If it doesn't, that would > very likely result in rejection before even getting to any reputation > algorithm. So, a potential way to address this without any sort of "tree walking" functionality would be: - As a sender, publish ADSP records for all domains/zones/fqdns you know about - Recommend that receivers reject mail from non-existing FQDNs used in PRA or MFROM (or somesuch). This seems workable. Others who prefer treewalking functionality, why does this not work for you? Where does this specifically fall down? Thanks, Al Iverson -- Al Iverson on Spam and Deliverability, see http://www.spamresource.com News, stats, info, and commentary on blacklists: http://www.dnsbl.com My personal website: http://www.aliverson.com -- Chicago, IL, USA Remove "lists" from my email address to reach me faster and directly. _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
