[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Third party DKIM signatures

To: "ASRG list" <asrg at ietf.org>
Subject: Re: [Asrg] Third party DKIM signatures
From: "Dan Oetting" <dan_oetting at qwest.net>
Date: Sun, 4 Jun 2006 20:20:45 -0600
In-reply-to: <20060604005034.12852.qmail@simone.iecc.com>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <20060604005034.12852.qmail@simone.iecc.com>


On Jun 3, 2006, at 6:50 PM, John Levine wrote:

What a complete waste of effort. If I were an ISP using DKIM, I would be sure there was a header in my outgoing mail with enough info to identify the customer (opaque token is fine), and include it in the signature. Then if a recipient objects, I know who the guilty party is regardless of what address he used.
I did state in my first post:
It may help to preemptively address the forgery issue if the ISP
were to insure that the From address were valid
Who said anything about From addresses?  Like I said, the signing ISP
puts a token in one of the signed headers so it knows which customer
it was, regardless of what's on the From: line.  As I think we've gone
over more than once, it is extremely unlikely that an ISP would know
what addresses its customers were or were not allowed to use, and
arbitrary limits like you have to use the address that came with the
account don't work.

As I have been saying all along, If your ISP is operating in a way that it cost the spammers more to establish a new account than they perceive they will gain by abusing their privileges till they get booted you should be fine by handling abuse after the fact. But when the criminals spammers invade your ISP using stolen credit cards and figure their costs at zero, will you be able to stop them fast enough.

ISPs are each going to approach this problem differently. Some will put in costly measures to verify the real user identities before an account is opened. Others will choose to prevent the abuse by filtering what gets out of their servers. I'm not going to argue that one way is better than another, the goal is to stop the abuse or at least reduce it to a manageable level.

I personally believe that legitimate users that are not part of the spam problem should be unencumbered by the anti-spam measures. My favored approach is to detect the abuse as quickly as possible, notify the ISP or other controlling party as directly as possible and have the abuse stopped before the rest of the net is significantly inconvenienced. Since filtering from addresses of legitimate users is against my personal belief I'm going to drop such discussions now.

-- Dan Oetting

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- Re: [Asrg] Third party DKIM signatures
  - From: John Levine

Prev by Date: Re: [Asrg] Third party DKIM signatures
Next by Date: [Asrg] pre-rfc thought balloon: ESMTP DATAFIRST
Previous by thread: Re: [Asrg] Third party DKIM signatures
Next by thread: Re: [Asrg] Third party DKIM signatures
Index(es):
- Date
- Thread