> On 16 Aug 2023, at 12:59, Alessandro Vesely <ves...@tana.it> wrote: > > On Wed 16/Aug/2023 11:17:50 +0200 Laura Atkins wrote: >>> On 16 Aug 2023, at 09:57, Alessandro Vesely <ves...@tana.it> wrote: >>> How about enacting common sense rules such as Never sign anything without >>> reading the small print? In the same way that users agree to any Terms & >>> Conditions without reading, domains sign any mail their users send without >>> knowing. Decadent practices, aren't they? >> Can you expand on this? I’m not sure I understand how reading the content >> will fix the problem. Spam is an issue of volume mostly. > > > Avoiding to /sign without knowing/ could perhaps partially solve the problem. > Reading the content was just for comparison with signing agreements.
Without knowing what, though? I am just not understanding what >>> Does Google know the real ID of its users? I'd guess in many cases they >>> do; for example, Google does payments and bank stuff which do require real >>> IDs (I pay, therefore I am). Nevertheless, they sign all email messages >>> with the same d=gmail.com, irrespective of user reputation. >>> I fully understand the right to anonymity. I know it's in the First >>> Amendment, in the US. However, I figure users should trust their mailbox >>> providers enough to disclose their real ID. The minority of people who >>> really need to care about that can always find a provider in countries >>> where ISPs cannot be forced to disclosure, or suffer sending lower grade >>> mail. >>> Would that be an acceptable kind of solution? >> I’m not sure I understand how this is a solution. As Evan and Emanuel have >> both said the bad actors have access to many thousands of accounts that look >> like real accounts. In my own experience, they have access to validating >> credit cards which is one of the most common ways to validate a real >> identity online. > > > There is an ongoing effort to safeguard digital identities (and plaguing > people with 2FAs). Checking IDs must be possible, and should be done in a > number of cases. Perhaps free mailbox providers could contribute...? But 2FAs isn’t a realID, it’s just 2FA. > Before digressing about methods, the question is whether limiting signing to > known (good) users could mitigate the replay problem. Suppose an ESP or MP > only signs mail authored by people who subscribed more than one month ago, > and whose ID was verified less than six months ago. Would that diminish > replay attacks by any amount? Given what I know of how spammers work, one month and 6 months to warm an account is trivial and something that a lot of spammers already bake into their setup processes. > BTW, how many replay attacks does an average ESP or MP notice in one month? Maybe representatives of either group could offer numbers. > Is it legal to mount replay attacks? > Was any user responsible for replay attacks ever identified and prosecuted? I am not a lawyer and unqualified to address these questions. laura (participating) -- The Delivery Expert Laura Atkins Word to the Wise la...@wordtothewise.com Delivery hints and commentary: http://wordtothewise.com/blog
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
