Daniel Black writes:
You're saying that with ADSP, that's not adequate unless Mailman first rewrites the "From:" address.
yes
In that case it is very often a violation of RFC 733 (most familiarly known as RFC 822, also STD 11, whose most recent incarnation is RFC 5322). Surely you already know that! That's a *lot* of history of best practice that you are dismissing, it's not going to be acceptable to a lot of folks, <RANT> and in general sucks for users of discussion lists. Personally, I'd much rather have my posts dropped. "Oh yes, your ISP regularly drops mail because they use broken spam-fighting practices. It's not just us, it's every list that conforms to one of the oldest Internet standards. If you want to receive your list mail, either subscribe with an address hosted at a decent ISP, or get your current one to fix their spam filters." Most of my users are well-informed, and quite sympathetic to that argument because they've seen it happen any number of times. I really would not appreciate it if "worst practices" were to become widespread because they cater to the unwashed who just don't want to receive spam and don't care who pays the cost (as long as it's not them). </RANT>
Wouldn't it be more straightforward (not to mention that it would work for many more lists) to have an LDSP RFC, whose first draft simply takes the ADSP RFC and substitutes "mailing list" for "author" everywhere, and "RFC 2369 and RFC 2919 headers" for "From"? (The point of multiple headers is that "active" headers like List-Subscribe could contain bogus URLs.) A second draft might add "If the list's host implements ADSP itself, it could also sign the author headers relevant to ADSP." Perhaps if it is known that the DKIM signature of the author's host is going to remain valid, you *don't* sign it, allowing the recipient to authenticate both the author and the list.
The only real problem with this is getting the big ISPs to implement, but that's nothing new. In fact if it's as easy as adding routines to process the RFC 2369 + RFC 2919 set of headers "just like" ADSP handles "From:", I bet most would be happy to sign on.
Some lists are configured to [rewrite From:] already,
I didn't know this. Anyone know who these are and if they incur any problems as result of this rewrite?
Announce lists are special-purpose lists, ironically mostly used for something very similar to spamming (except of course, legitimate "announce" lists are willingly subscribed to). These are quite common; they also already fit into the ADSP framework quite well, so are basically irrelevant to your proposal.
Anonymous discussion lists are special-purpose lists used by folks like victims of domestic violence. These are a very good thing IMO, but again they are not a model for other lists.
If you are blindly assessing an email without knowledge that is a mailing list what do you see?
If the list doesn't implement any of RFC 2369 (published 1998) or RFC 2919 (published 2001), the joke is on it. Otherwise you shouldn't be blind. I think it is reasonable to assume that mailing lists are easily identifiable by the presence of those headers. For that precise reason, I propose that they be used instead of "From:" for ADSP-like authentication of mailing lists.
This is so obvious that I suspect there's some "good" reason why it won't work, but as long as a harmful alternative is being suggested, may as well give it a try.