D wrote: > and whitelist all the forged spam. > > I hate whitelists, unless they're based on unforgeable data (eg valid > GPG signature).
On that idea I have been wondering if it might be possible to add signing by the mailer list manager. Majordomo, mailman, etc. could sign the message that it actually came from their lists and was not forged. Then anything that failed the signature test could be discarded as a forged spam. Since this would be inserted by the MLM it would be independent of user software originating the message. Duplicate wrappings of gpg user signed messages would be a problem. And gpg is not the lightest weight program. BIND went with TSIGs for similar reasons and something like a TSIG in the header seems workable. The protocol should allow for multiple TSIG headers similar to Recevied: headers now. Every host along the way could leave their mark on the message. Really instead of the MLM any MTA in the sequence could leave their mark on the message. This seems to help with other problems. I realize this does not avoid spam sent through mailing list. But it does address the problem of whitelisting of lists causing false negatives. And it helps with forged mail in general. I know I am dreaming. But am I completely lost here? What did I forget about in this daydream. Bob
msg07359/pgp00000.pgp
Description: PGP signature
