[Mailman-Users] Mailman postings deferred by Yahoo

[Brad Knowles]

On 2/21/08, Stephen J. Turnbull wrote:

>  Granted, Brad himself often criticizes the implementation at AOL,
>  Yahoo, et al.  But the underlying strategy is the same.  "Stop spam as
>  far upstream as you can."

Yeah, but SPF/SenderID and DKIM/DomainKeys are not the right tools to 
be forcing everyone else in the industry to be using to achieve this 
goal.  You might as well force everyone to use only 24lb 
sledgehammers when they want to fasten any two objects together, and 
ignore all other fastening technologies like screws, glue, etc....

The DKIM guys did their homework -- they identified the weaknesses in 
SPF, and they found ways to avoid pretty much all of them.  Problem 
is, they brought out the crypto-nuclear weapons to use against the 
spammers, and they forgot that the spammers are like cockroaches, and 
they're the only ones who'll be left on this planet when the nuclear 
weapons actually get used.

>  You can't have it both ways.  If AOL's database is organized by IP,
>  when you get filtered, you will get filtered by IP.  If you want Yahoo
>  to distinguish your "diligent" (and/or "lucky") domains from the less
>  so, you're going to have to give them domain keys so the good ones
>  can't be spoofed by the bad ones (or worse, by the bad guys
>  themselves).

I don't think you can effectively protect these assets by domain. 
Among other things, there are far too many places out there that 
might have a valid need to send e-mail on my behalf, using my 
address, and any domain-level protection mechanism would almost 
certainly break that aspect of e-mail.  There go all your e-mail 
greeting cards, there go all your e-mail notifications of birthdays 
or other events, and a whole host of other things.


You can't even protect these assets completely by IP address.  If the 
spammers can get friendly with an ISP so that they can advertise 
bogus routes to your network, then they can send out mail from their 
machines using your IP addresses, and all your IP-based security 
mechanisms go out the window.

The mail will be treated by the other end as if it really had been 
sent by your mail servers, and then they'll go away in five minutes. 
But the damage has already been done -- the spam has been sent, and 
someone else has been blamed.  And all those ephemeral routing 
advertisements never get logged anywhere, so no one would ever know 
that it wasn't really you that was sending e-mail from that IP 
address.

>  You don't have to like it; I don't like it at all.  But it's not very
>  useful to propose that the 600-lb gorillas "stop targeting the
>  middlemen," nor to complain about gorillas that ask for authentication
>  of every domain that wants to clear its reputation with the simians'
>  systems.

I don't mind them targeting the middleman.  I just want them to 
target using the appropriate tools.

I want them to have enough intelligence to know when a user has set 
up forwarding on our system to their system, so that when a spam 
message comes in and the user clicks "report as spam", they can look 
through the headers of the message and avoid blaming us for sending 
spam to that user, because we were actually just doing what the user 
asked us to do.

The alternative is to just refuse to forward e-mail anymore.  And I 
don't really like that.


Oh, and btw, this also affects mailing lists, because all the 
low-level mechanisms for forwarding e-mail are functionally identical 
to operating a mailing list.

>                Not until we can provide an alternative that looks like it
>  might work.

They've got the money.  Let them pay to come up with something that 
will actually work.

-- 
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>