Oct. 7, 2009
2:02 p.m.
--On 8 October 2009 00:21:08 +1100 Daniel Black <daniel@cacert.org> wrote:
we know the message came from a mailing list, this actually is the hard bit. Options for the recipient verifier are:
- has a List-ID (or other signature) - must be a mailist. This allows email spoofers just to add List-ID tags or a simple email characteristic to bypass checking.
- manage a whitelist of maillists that have subscribers in the domain, that can't be easily spoofed. Pretty easy for small domains but many thousand user bases requires more admin time or run the risk of a user whitelisting a spoofer IP address.
- originator specified third party signatures - discussion (re)-starting on IETF WG list on this. Bit labour intensive on the sender part. (http://mipassoc.org/pipermail/ietf-dkim/2009q4/thread.html)
Well, my reputation assessment scheme says you should check the DKIM signature added by the list's domain, if there is one. You only trust the list if you have reason to.
-- Ian Eiloart IT Services, University of Sussex 01273-873148 x3148 For new support requests, see http://www.sussex.ac.uk/its/help/