On 2024-06-03 at 07:05:29 UTC-0400 (Mon, 3 Jun 2024 12:05:29 +0100
(BST))
Andrew C Aitchison <spamassas...@aitchison.me.uk>
is rumored to have said:
The DKIM RFC
https://datatracker.ietf.org/doc/html/rfc6376#section-8.2
tells us that it is not safe to rely on the DKIM length (l=) tag
Never has been safe. Terrible idea from the start. Never should have
been included in the specification.
and
https://www.zone.eu/blog/2024/05/17/bimi-and-dmarc-cant-save-you/
shows how it can be used to subvert BIMI*.
I can't honestly say that I care. BIMI is a misguided concept useful
only to marketers and the mythological creatures they call "consumers"
who behave unlike many real humans.
I am looking at extending Mail::SpamAssassin::Plugin::DKIM to indicate
when a DKIM body signature only covers part of the message body
and how much of the body is unsigned (bytes, percentage or possibly
both).
I was thinking of the same thing in a half-assed way, just catching
anything using the length tag. I'd bet that correlates to spam but we'd
need data to prove that.
I am new to the spamassassin code, so any comments or suggetions would
be welcome.
Resist the urge to refactor. It's easy to break things.
* I am not a fan of BIMI, but big name players appear to be using
it to display "trustable" logos on GUI mail clients, so users *will*
be caught when it breaks.
The concept that users should learn to trust logos as authentication per
se is harmful. BIMI should be broken now and with every opportunity
available. It is an indicator that a MUA author puts the interests of
marketers ahead of the interests of users.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire