I've said in multiple threads that the current problem both in the
charter and the problem draft are far too vague for us to address. Here
are some from me at least:
1. Who are the victims? Just bulk senders? Are the bulk senders signing
using their domain?
2. If there are different types of senders who suffer from replay
attack reputation, are the attacks using the same or different
techniques to create the signed spam?
3. Do senders filter outbound traffic for spam?
4. Do spammers who get a piece of email signed by a sender also send
mail to target domains to see if it passes their filters?
5. What are the characteristics of the spammer wrt to the sending
domain? Are they brand new accounts or established ones?
6. Do sending domains keep track of users who are sending spam in the
eyes of their filters? Do they correlate that with other
characteristics of their users such as freshness?
7. Do senders pay any attention to the To domain?
8. Do receivers pay attention to the To domain(s)?
9. Does the To domain spammers use remain more or less static, or do
they mutate at a high rate?
10. Can we quantify the reputation bump (or hit) on the receiver from
these spam bursts? (I'm sure the spammers know the answer to this)
11. Do spammers with a replay server sign and/or set up SPF records for
their spam sending domain?
12. Do spammers provide an unsubscribe link which is typical on normal
email blasts? If not, is that unusual and/or against the rules of
the bulk provider? If so can the sender keep track of that?
13. Can senders verify that opt-out links actually work especially for
new accounts?
14. Can filters be adjusted at a more fine grain in the face of
different conditions? That is, accept a higher false positive rate
in certain conditions?
15. Are there receivers out there that treat an x= expired message
different than a missing or broken signature? It's ambiguous in the
DKIM text about that, I think.
16. Can receivers take advantage of the signalling of a small x= value
as also a clue that the sender is concerned about replays?
17. Do receivers use things like unsigned Subject or To or other
tell-tale fields as signs of a bulk replay?
18. Do receivers collect and use reputation information on mailing lists
and other indirect flows that resign their messages?
19. What percent of incoming email to a mailbox is through resenders and
of that what percent resign?
20. Do receivers keep tabs on which users are using things like mailing
lists to differentiate users who expect to get indirect mail vs
those who don't?
I know that some of these have been answered to some degree or another,
but wanted to put them in one thread so they can be added to the problem
draft easier as needed.
Also: to the degree that some of these questions can't be answered or
only very vaguely is its own answer as to what this wg can and can't do.
Some might be just nice to have, but some might be more foundational.
Feel free to add to my list because I'm sure it's far from comprehensive.
Mike
_______________________________________________
Ietf-dkim mailing list
Ietf-dkim@ietf.org
https://www.ietf.org/mailman/listinfo/ietf-dkim
