[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Re: bounces, and anit-spam principles

To: Steve Atkins <steve at blighty.com>
Subject: Re: [Asrg] Re: bounces, and anit-spam principles
From: Douglas Otis <dotis at mail-abuse.org>
Date: Wed, 24 Jan 2007 03:22:21 -0800
Cc: ASRG list <asrg at ietf.org>
In-reply-to: <8BE4294E-C21F-4C3B-84DD-A7AE7584A491@blighty.com>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <E1H94Gm-0002Pb-Lu@megatron.ietf.org> <web-60853728@bk2.webmaillogin.com> <FEDA2553-4E9F-4A16-942F-F1199CD165BD@blighty.com> <9B0105A5-008A-464F-90A6-99249EDB997B@qwest.net> <8BE4294E-C21F-4C3B-84DD-A7AE7584A491@blighty.com>

On Mon, 2007-01-22 at 18:09 -0800, Steve Atkins wrote:
> On Jan 22, 2007, at 5:59 PM, Dan Oetting wrote:
> > On Jan 22, 2007, at 5:48 PM, Steve Atkins wrote:
> >
> >> Identifying the sender reliably is the missing link in the current  
> >> system.
> >
> > The missing link is really 2 different problems depending on which  
> > side of the link you are on. The receiver can't identify the actual  
> > sender and the smarthost can't reliably identify the email as  
> > abusive. Providing direct feedback when email is abusive (such as  
> > when unsolicited email hits a spamtrap) could bridge the gap and  
> > permit the smarthost to take appropriate action to stop the abuse.
> 
> DKIM and ARF between them provide all the protocol-level solution  
> needed for that. DKIM was the missing link I was thinking of.

Problems remain even when DKIM provides a verifiable domain playing some
role in sending the message.  DKIM excludes the envelope.  A message
signed by Yahoo! can be replayed.  It remains to be seen how effective
ARF might be at suppressing abuse of a free account.  Looking at the
situation with .com, it seems even charging for a service might not
offer much of a reduction, due to a high level of fraud.

DKIM limitations on indicating on who's behalf the message is signed
seems aimed at providing a method to extort use of private keys of
customers as a means to avoid receiving the ARF information directly.
This does not bode well for DKIM and ARF working together. : (

Perhaps something as simple as an 'mx-' prefix on the SMTP client
hostname could be used to indicate compliance with address validation,
in addition to a convention where the domain below this label also
accepts ARF reports.  The prefix also implies the domain's authorization
for sending email.

-Doug

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- [Asrg] Re: bounces, and anit-spam principles
  - From: gep2
- Re: [Asrg] Re: bounces, and anit-spam principles
  - From: Steve Atkins
- Re: [Asrg] Re: bounces, and anit-spam principles
  - From: Dan Oetting
- Re: [Asrg] Re: bounces, and anit-spam principles
  - From: Steve Atkins

Prev by Date: Re: [Asrg] Comments: draft-irtf-asrg-criteria-00.txt
Next by Date: [Asrg] Mail problem in NY
Previous by thread: Re: [Asrg] Re: bounces, and anit-spam principles
Next by thread: Re: [Asrg] Re: bounces, and anit-spam principles
Index(es):
- Date
- Thread