[Mailman-Users] Mailman postings deferred by Yahoo
brad at shub-internet.org
Thu Feb 21 06:53:58 CET 2008
On 2/21/08, Stephen J. Turnbull wrote:
> Granted, Brad himself often criticizes the implementation at AOL,
> Yahoo, et al. But the underlying strategy is the same. "Stop spam as
> far upstream as you can."
Yeah, but SPF/SenderID and DKIM/DomainKeys are not the right tools to
be forcing everyone else in the industry to be using to achieve this
goal. You might as well force everyone to use only 24lb
sledgehammers when they want to fasten any two objects together, and
ignore all other fastening technologies like screws, glue, etc....
The DKIM guys did their homework -- they identified the weaknesses in
SPF, and they found ways to avoid pretty much all of them. Problem
is, they brought out the crypto-nuclear weapons to use against the
spammers, and they forgot that the spammers are like cockroaches, and
they're the only ones who'll be left on this planet when the nuclear
weapons actually get used.
> You can't have it both ways. If AOL's database is organized by IP,
> when you get filtered, you will get filtered by IP. If you want Yahoo
> to distinguish your "diligent" (and/or "lucky") domains from the less
> so, you're going to have to give them domain keys so the good ones
> can't be spoofed by the bad ones (or worse, by the bad guys
I don't think you can effectively protect these assets by domain.
Among other things, there are far too many places out there that
might have a valid need to send e-mail on my behalf, using my
address, and any domain-level protection mechanism would almost
certainly break that aspect of e-mail. There go all your e-mail
greeting cards, there go all your e-mail notifications of birthdays
or other events, and a whole host of other things.
You can't even protect these assets completely by IP address. If the
spammers can get friendly with an ISP so that they can advertise
bogus routes to your network, then they can send out mail from their
machines using your IP addresses, and all your IP-based security
mechanisms go out the window.
The mail will be treated by the other end as if it really had been
sent by your mail servers, and then they'll go away in five minutes.
But the damage has already been done -- the spam has been sent, and
someone else has been blamed. And all those ephemeral routing
advertisements never get logged anywhere, so no one would ever know
that it wasn't really you that was sending e-mail from that IP
> You don't have to like it; I don't like it at all. But it's not very
> useful to propose that the 600-lb gorillas "stop targeting the
> middlemen," nor to complain about gorillas that ask for authentication
> of every domain that wants to clear its reputation with the simians'
I don't mind them targeting the middleman. I just want them to
target using the appropriate tools.
I want them to have enough intelligence to know when a user has set
up forwarding on our system to their system, so that when a spam
message comes in and the user clicks "report as spam", they can look
through the headers of the message and avoid blaming us for sending
spam to that user, because we were actually just doing what the user
asked us to do.
The alternative is to just refuse to forward e-mail anymore. And I
don't really like that.
Oh, and btw, this also affects mailing lists, because all the
low-level mechanisms for forwarding e-mail are functionally identical
to operating a mailing list.
> Not until we can provide an alternative that looks like it
> might work.
They've got the money. Let them pay to come up with something that
will actually work.
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
More information about the Mailman-Users