On 06/24/2010 08:43 AM, Steve Atkins wrote: > > On Jun 24, 2010, at 8:21 AM, Michael Thomas wrote: > >> On 06/24/2010 07:49 AM, John Levine wrote: >> Are you making the assumption that all third party lists would be equally >>> credible? That's no more likely than all DNSBLs being equally credible. >>> >>> In both cases, the good ones will make sure their data is correct, >>> maybe by backchannels to the underying providers (see the Spamhaus PBL >>> for an example of that) or by some kind of feedback watching the mail >>> they make assertions about. The bad ones won't do that, and won't be >>> useful. (See any number of useless poorly run DNSBLs for an example >>> of that.) >> >> Any service that doesn't have an *explicit* guarantee from the mail >> domain itself that it signs all mail is worse than incompetent, >> it's harmful. A third party can *never* prove the negative that the >> domain in question doesn't have sources of unsigned mail that they >> don't want discarded. The domain in question without a thourough >> audit probably doesn't have a clue itself if it's even vaguely >> largeish. >> >> So why does a domain that performs that painful audit and >> remediation need to then tell John's drop list that it's OK to >> drop unsigned mail? It doesn't. It can just publish an ADSP >> record and be done with it. No need to count on some unreliable, >> unaccountable point of failure to mediate their business. > > The problem is that it's not possible to distinguish based solely on > self-published data the domain that's done all that work, and actually > understands the implications from the domain that's just published > an ADSP record because they'd heard it was a good idea, with no > understanding of the effect that would have on their email.
Sure. And it's a bad idea to set your MX records to 127.0.0.1 because you heard it stops spam cold too. > Even paypal, who are one of the main forces driving ADSP, didn't > think through the most basic implications, and caused a lot of > legitimate email that was from their domains, yet not DKIM signed > to be received. If recipient use of ADSP were widespread then > that would have been a business failure rather than just an > embarrassment. If people actually deployed ADSP receivers, there'd be a big incentive for the publishers to get clue too. > Given that, the odds that any given ADSP-discardable record is > something that it makes operational sense to use is pretty low. > And no competent mailbox operator will want to allow untrusted > third parties to control the service they provide to their customers - > delivery of email. That's a bizarre use of "third party". The From sending domain isn't a "third party" under any definition I can think of. > A similar argument applies to third party lists, including those > run by John, ReturnPath and Spamhaus, with the critical difference > that each of those lists is a single entity, rather than the ADSP-discardable > pseudo-list, which is run by as many different people as their are > domains, so their accuracy can be tracked > over time, and their data only used once it's demonstrated itself to > be accurate enough to have operational benefits. A single entity that the domain in question has absolutely no idea about, and certainly no control over. Considering that their listing is exactly as accurate as the domain in question's own due diligence in the best case, and completely wrong in the average case, why would anybody trust it over the domain's own assertion? This looks to me like a business in search of a vict^H^H^H^Hcustomer. Mike _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
