On 2/12/2023 12:48 PM, Wei Chuang wrote:
In this model, let's consider the Receiver's actions.
1. Say the spammer doesn't want to participate in creating a
Separate-Envelope, how would a receiver detect this as Replay? Is the
idea that Separate-Envelope identifies the Alias or Mailing-lIst? Is
the verification process that the Receiver notices that the header is
missing?
One of the continuing problems with anti-abuse discussions is that
discussion always goes to detecting bad actors. While of course there
need to be discussions about them, the problem is that there seem to be
no discussions about good actors.
DKIM and a mechanism such as I'm proposing gives the receiver a
noise-free message flow to evaluate. It can be used for finding bad
actors, of course, but I think its primary benefit is in finding good
actors.
With that said, now to comment on your bad actor line of consideration:
A message arrives that has the address disparity which raises concern.
And it does not have the signed flag noting who created the disparity.
Today and forever, this could be a message from a good actor or a bad
actor. It will take conservative heuristics to handle, but ultimately
the handling would be pretty much the same as today. The mechanism I've
suggested does not make things worse for this scenario...
Except that some fraction of traffic is now trying to help the
analysis. If the mechanism becomes used by the primary domain names
that are being abused, that means that the absence of the mechanism from
a message means it is more likely the message is problematic. But only
"more likely".
2. You've noted what happens when the spammer participates in
generating Separate-Envelope
3. A non-spammer should have a Separate-Envelope, which will validate.
FWIW a different approach but overlaps this idea is that a sender
identifies the domain they intend to send to. The receiving system
verifies that they are the intended recipient domain. I think John
Levine has a draft about this. I have a draft that expands some of
that idea further.
I don't really understand what you are describing. Senders always know
the domain they are sending to. And I don't know what it means for a
receiver to 'verify' that they are the intended recipient, since domain
getting mail was intended (by someone) to get it.
Further, 'intention' is distributed, given Mediators.
I also don't know what draft by Levine you are referring to.
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
mast:@dcrocker@mastodon.social
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
