I have one comment to make which ties together both my stance on Otis' doublefrom crusade, and some reforms I have argued for in ADSP.
Basically, at present the doublefrom trick is simply *unnecessary* for someone trying to pass me a forged mail. My MTA, Exim-4.76, does not natively support ADSP. It does support core DKIM, but without ADSP it's not reasonable for the DKIM result to have any effect on the message disposition. It probably wouldn't be *that* hard to cobble together some receiverside ADSP implementation using Exim's other features, but it's just not worth my while. I'm not afraid of any phish fooling me, but I am interested in anything that reduces the amount of "bad mail" reaching my inbox. But while a lot of spam is forged, it's forged to be from some ordinary schlub, not Paypal. I keep records going back to 2007, and since the start of that year 254 bad mails (spam and viruses) have gotten through to me. They represent 210 alleged From: domains. Of those domains, -absolutely none- of them, -today-, have ADSP records at all. Not even a "dkim=unknown"! Thus retrospective analysis shows ADSP is unlikely to make any difference. I may well implement double-From: detection alone. *It* would have blocked three spams from that interval (none of which bear any attempt at a signature). Now, all that aside, Paypal would probably still really like me to arm ADSP, just in case. But while it may be worth *their* time to sail 100km to meet me (that is, by actually maintaining no-mailing-list discipline so they can use discardable), it's not worth *my* time to drive 1km from my hilltop home to the port to meet them. If ADSP were fixed so that it could be deployed meaningfully at ordinary domains, with users who post to mailing lists, this might change. I've already stated my fix -- add "dkim=except-mlist", which states that any message with broken/absent signatures should be considered bogus if it is known not to be a mailing list message. While merely adding a fake "List-Id:" header might let forgeries of except-mlist domains get through to many users, that will never work on me. I recognize my mailing lists via other indicia that are harder to forge (the MAIL FROM:). ---- Michael Deutschmann <mich...@talamasca.ocis.net> _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html