On Fri, 10 Sep 2010 23:37:46 +0100, Steve Atkins <[email protected]> wrote:
> On Sep 10, 2010, at 2:31 PM, Scott Kitterman wrote: >> ..... If this negative event can be avoided by the simple mechanism of >> using a mailing list specific "Message" From, then that is a benefit. > > Rather than go into the general reasons why I think this is not > something that ADSP users really want, I'll give a concrete > example. What ADSP users want is irrelevant. This is about what MLMs want (which is most likely to ensure that submitted messages reach the whole of their list without problems). > > Lets say this mailing list rewrites the From: address in some > reasonably mechanical manner, and the From: field of > this message were rewritten as (making up syntax on > the fly)... > > From: steve%blighty.com%[email protected] > > ... such that recipients (or their MUAs) know that this mail > was sent by [email protected] via a mailing list at > dkim.org. > > There's nothing to stop me from sending mail > From: billing%paypal.com%[email protected], as > the mailing list isn't using ADSP. Clearly, mailing lists that do things to the From: SHOULD (even MUST) sign, and any RFC documenting my proposal would include that. But yes, you could currently send a message to this list From: that address, but that has nothing to do with whether my suggestion is adopted or not. I suspect you would soon find yourself blacklisted by the MLM. > ... And there's certainly > nothing to prevent me from sending mail from > billing%paypal.com%[email protected] that has > a valid first-person signature. Indeed, but that is, and has always been, possible, irrespective of whether my suggestion is adopted. Phishers have been obfuscating their From: headers in such ways since forever. > > That means that, as far as the end user is concerned, > I can send them email that is "from" [email protected], > even though paypal.com is using ADSP to ask receivers > to discard mail that claims to be from paypal.com but > is not validly signed by paypal.com. > > Given the whole point of ADSP is "Discard if you're not > sure", I don't think that's what an ADSP using domain > would want. Sure they would, but DKIM as specified does not provide that feature except when everything after the '@' is exact. -- Charles H. Lindsey ---------At Home, doing my own thing------------------------ Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: [email protected] snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K. PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5 _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
