On Tue, 29 Apr 2008 01:25:26 +0100, John Levine [EMAIL PROTECTED] wrote:
But I have to say, without any sort of domain blanket/coverage
option, it seems like something is really missing here.
I'm seeing an implicit assumption that if someone has an opinion about
mail from foo.com, they will
Steve,
The answer to that depends on what the operational goal
of ADSP is. And that's never been clearly stated, really,
certainly not to the level of there being any consensus on it.
Really? How about Section 1 of RFC 5016?
Eliot
___
NOTE
On Apr 29, 2008, at 3:30 AM, Eliot Lear wrote:
Steve,
The answer to that depends on what the operational goal
of ADSP is. And that's never been clearly stated, really,
certainly not to the level of there being any consensus on it.
Really? How about Section 1 of RFC 5016?
It doesn't
On 29 Apr 2008 00:25:26 -, John Levine [EMAIL PROTECTED] wrote:
But I have to say, without any sort of domain blanket/coverage
option, it seems like something is really missing here.
I'm seeing an implicit assumption that if someone has an opinion about
mail from foo.com, they will have
John Levine wrote:
But I have to say, without any sort of domain blanket/coverage
option, it seems like something is really missing here.
I'm seeing an implicit assumption that if someone has an opinion about
mail from foo.com, they will have a similar opinion of mail from
subdomains
I think I am not looking for an implicit assumption to have the same
opinion about a.b.foo.com. I am thinking of how, as a sender, can I
sign and allow (by actively providing the ability to denote good mail
signed as) foo.com or a.foo.com but prevent the use of (by actively
encouraging filter or
But the problem is what goes in the From header of mails coming from
random.example.com? Those will be set by whatever MUA is running on that
secretary's machine which, if that machine was configured by the Secratary
herself, will most likely be left by default at random.example.com.
On 29 Apr 2008 15:10:17 -, John Levine [EMAIL PROTECTED] wrote:
I think I am not looking for an implicit assumption to have the same
opinion about a.b.foo.com. I am thinking of how, as a sender, can I
sign and allow (by actively providing the ability to denote good mail
signed as) foo.com
What I was asking a few messages back is why anyone who's actually
involved in running e-mail would care whether someone forged
beans.rice.a.foo.com.
Yahoo and Hotmail seem to be good candidates to want this. I'm open to
hearing otherwise from them. I think a lack of response on this list
Steve Atkins wrote:
It doesn't contain any operational justification or goal for
SSP. It describes what (one person) wants from SSP, it
does not explain why, and it definitely doesn't provide the
operational problem that SSP is intended to mitigate.
Well, I really don't know where to
On Apr 29, 2008, at 8:36 AM, Eliot Lear wrote:
Steve Atkins wrote:
It doesn't contain any operational justification or goal for
SSP. It describes what (one person) wants from SSP, it
does not explain why, and it definitely doesn't provide the
operational problem that SSP is intended to
Al Iverson wrote:
My underlying point is that I need to understand more about how
phishers, once locked out of use of bigbank.com due to DKIM+ADSP, can
best be persuaded to avoid use of account.info.bigbank.com, or any
other subdomain that they've thought of, that I haven't.
Al, I think
On Tue, Apr 29, 2008 at 11:30 AM, John Levine [EMAIL PROTECTED] wrote:
Also, keep in mind that if despite the fact that it doesn't matter, you
really really REALLY want full ADSP coverage on every possible subdomain,
you can always hire someone to write a specialized DNS server to provide it
I think I'm not the only one making assumptions here.
Of course not.
I'm honestly trying to figure out whether any mail systems treat mail
from sub.foo.com as being from foo.com when they make decisions about
sorting, filtering, and so forth. That's why I'd really appreciate
some actual
Jim Fenton wrote:
Dave Crocker wrote:
I keep waiting for proponents of this 'feature' to solicit technical
review from independent DNS and security experts, for assessing the
likely benefit as balanced against the likely cost.
I have been soliciting technical review from the DNS folks,
Steve Atkins wrote:
And what's the actual operational goal for this?
If you can't give me the general goal, a concrete example or
two would be a good start.
The general goal is to discern that which isn't signed and should be
signed and that which legitimately not be signed. I think one
Folks,
Thought it worth mentioning (touting):
As of late Monday afternoon, mail coming from mipassoc.org, such as the
ietf-dkim mailing list, is now carrying a DKIM signature.
Eliot Lear has been helping my ISP (songbird) to get this running, using the
milter module.
Thanks, Eliot!
John Levine replied to Al Iverson:
Yahoo and Hotmail seem to be good candidates to want this. I'm open
to
hearing otherwise from them. I think a lack of response on this list
is
not equivalent to a negative response, though.
But you're assuming your conclusions again. I've never heard
John Levine wrote:
I'm honestly trying to figure out whether any mail systems treat mail
from sub.foo.com as being from foo.com when they make decisions about
sorting, filtering, and so forth. That's why I'd really appreciate
some
actual examples if there are any. I'm not trying to be
At 09:11 29-04-2008, John Levine wrote:
I'm honestly trying to figure out whether any mail systems treat mail
from sub.foo.com as being from foo.com when they make decisions about
sorting, filtering, and so forth. That's why I'd really appreciate
some actual examples if there are any. I'm not
On Apr 29, 2008, at 8:49 AM, Al Iverson wrote:
On Tue, Apr 29, 2008 at 11:30 AM, John Levine [EMAIL PROTECTED] wrote:
Also, keep in mind that if despite the fact that it doesn't matter,
you really really REALLY want full ADSP coverage on every possible
subdomain, you can always hire
John Levine:
I think I'm not the only one making assumptions here.
Of course not.
I'm honestly trying to figure out whether any mail systems treat mail
from sub.foo.com as being from foo.com when they make decisions about
sorting, filtering, and so forth. That's why I'd really appreciate
On 4/29/08, J D Falk [EMAIL PROTECTED] wrote:
IMHO the thing about phishers forging nonexistant domains is a
non-issue. I can not imagine any circumstances where a nonexistant
domain with no possibility of an ADSP statement will be given the same
privleges as an existing domain that does
Cool!
Al
On 4/29/08, Dave Crocker [EMAIL PROTECTED] wrote:
Folks,
Thought it worth mentioning (touting):
As of late Monday afternoon, mail coming from mipassoc.org, such as
the
ietf-dkim mailing list, is now carrying a DKIM signature.
Eliot Lear has been helping my ISP (songbird)
Excellent job! Nice to be eating our own dog food.
Tony Hansen
[EMAIL PROTECTED]
Dave Crocker wrote:
Folks,
Thought it worth mentioning (touting):
As of late Monday afternoon, mail coming from mipassoc.org, such as the
ietf-dkim mailing list, is now carrying a DKIM
Al asked:
OK, let's assume ADSP has no tree walking or subzone inheritance
feature. A sender is sending legitimate mails with
customercare.bigbank.com with DKIM and an ADSP policy. If a phisher
sends mail with a PRA of customer-care.bigbank.com, that would not be
signed, and it would not
On 4/29/08, J D Falk [EMAIL PROTECTED] wrote:
JD, thanks. This is very insightful.
OK, let's assume ADSP has no tree walking or subzone inheritance
feature. A sender is sending legitimate mails with
customercare.bigbank.com with DKIM and an ADSP policy. If a phisher
sends mail with a PRA
I'm honestly trying to figure out whether any mail systems treat mail
from sub.foo.com as being from foo.com when they make decisions about
sorting, filtering, and so forth.
SpamAssassin does this to a degree. It itself white-lists and in it's
documentation encourages others to white-list
How will it benefit phishers to use arbitrary sub-domains?
If the use of arbitrary sub-domains within an unsigned message can
get-around an otherwise stricter receive-side filter then the benefit
to phishers is obvious - their pay-load is all the more likely to be
delivered. Compliance
Hi,
In the following case, a message has a valid DKIM signature:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
[EMAIL PROTECTED] ...
The author is [EMAIL PROTECTED] where the domain fails step 2 of
Section 4.2.2.
As the message has a valid signature from the Author
Al wrote:
So, a potential way to address this without any sort of tree walking
functionality would be:
- As a sender, publish ADSP records for all domains/zones/fqdns you
know about
Yep.
- Recommend that receivers reject mail from non-existing FQDNs used in
PRA or MFROM (or somesuch).
On Apr 29, 2008, at 2:30 PM, SM wrote:
Hi,
In the following case, a message has a valid DKIM signature:
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=example.com;
[EMAIL PROTECTED] ...
The author is [EMAIL PROTECTED] where the domain fails step 2 of
Section 4.2.2.
As the
32 matches
Mail list logo