[Asrg] where the message originated

Robert Barclay rbbarclay at gmail.com
Mon Jan 12 14:37:52 PST 2009 

On Mon, Jan 12, 2009 at 1:51 PM, Franck Martin <franck at avonsys.com> wrote:

> I'm curious when you say ADSP is always keyed of the real live From
> address? You talk about the From: and not the Mail From: (Return-path)?

 Yes, the A is for Author. ADSP is built on top of DKIM and allows domain
owners to specify that they sign some or all mail using a specific domain in
the From: address


>
>
> as a side note, all this SSP/ADSP processing looks like a blackbox (or
> black magic) to me. There is no recommended practices and no one explain
> what they do to filter mail. like in the statement "AOL will use DKIM to do
> build reputation based on domain", what does it mean?


It means they are going to start establishing reputation for DKIM domains
based on the DKIM signed mail passing through their systems. This isn't any
more of a black box than their existing reputation systems.
As for recommended practices I'm not sure there's enough operational
experience is most situations to have anything useful to recommend yet. I
would be pleased to be wrong here but suspect that we may be starting to get
there for some uses of DKIM and are a long way away from that with ADSP.



>
>
> We know well about spamassassin, DNSBL, DCC but this is about it. I thought
> security by obscurity was a bad idea? ;)


Not sure this qualifies for security by obscurity. It's pretty
straightforward how all these technologies work. How people make use of the
data these technologies provide, that only seems obscure because people are
still figuring it out themselves. Compare this to how people use IP
addresses there's a pretty wide variety there and a lot of those uses would
qualify as "obscured" from outside users too.



>
>
> ----- Original Message -----
> From: "Michael Thomas" <mike at mtcc.com>
> To: "Anti-Spam Research Group - IRTF" <asrg at irtf.org>
> Cc: dcrocker at bbiw.net
> Sent: Tuesday, 13 January, 2009 8:24:24 AM (GMT+1200) Auto-Detected
> Subject: Re: [Asrg] where the message originated
>
> Franck Martin wrote:
> > I have run a series of tests, where I sign a message (sent by me) but
> with only the Return-path containing my domain (DKIM does not sign the
> return-path as recommended in the spec).
> >
> > I used the DKIM reflectors on www.dkim.org
> >
> > and the assessment I got was: neutral (none of the signed field contain
> the domain of the signer).
> >
> > like if it is wrong.
> >
> > I think it should be a pass. I fear that many people that verify DKIM
> make the same mistake.
>
>   Note that this not about DKIM but about SSP/ADSP and
> Authentication-Results.
>   I believe that the SSP/ADSP result should be neutral, but that the DKIM
>   result is "pass". A lot of the reflectors haven't been updated for quite
> a
>   while, and the earlier drafts of Auth-Res didn't make a distinction
> between
>   DKIM and SSP/ADSP. So, true to form, differing implementations did
> differing
>   things in the face of the ambiguity.
>
> >
> > I'm thinking of adding an X-header that will contain my domain and sign
> it via DKIM and see if the reflectors are happier.
>
>   I _think_ that my reflector does the right thing in that it separates out
> the
>   dkim results from the ssp results, but I'm pretty sure that it's out of
> date
>   wrt both the new auth-res draft and the adsp draft.
>
>   In either case, an X-header isn't going to change anything. The ADSP part
> is
>   always keyed of of the real live From address.
>
>                Mike
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg
> _______________________________________________
> Asrg mailing list
> Asrg at irtf.org
> http://www.irtf.org/mailman/listinfo/asrg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.irtf.org/pipermail/asrg/attachments/20090112/9e4543c3/attachment.htm>

More information about the Asrg mailing list