You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Dan Mahoney, System Admin" <da...@prime.gushi.org> on 2007/08/07 09:42:50 UTC
Re: [sa-list] Re: DK_POLICY_SIGNSOME
On Mon, 6 Aug 2007, Mark Martinec wrote:
> Rob,
>
>>> When the domainkey policy record for the domain in question says the
>>> domain signs some of its email.
>>
>> Heheh.. Yeah, I guessed that much, but, we *don't* sign email. Not
>> DK(IM) or anything else.
>
> Yes, this is normal. An absence of a policy record implies
> a default policy, which is a neutral 'signs some mail'.
True, but perhaps, SA could hit a different rule when encountering the
EXPLICIT "signsome" policy versus the IMPLICIT, i.e.
DK_POLICY_SIGNSOME_DEFAULT or something similar? (With corresponding
explanation tests).
-Dan
--
"Tonite on reboot! People misspelling as many words with sexual
connotations as possible..."
-Keyo-Chan, February 10th 1999, Undernet #reboot
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
Re: DK_POLICY_SIGNSOME
Posted by Mark Martinec <Ma...@ijs.si>.
Kai,
> Mark Martinec wrote on Tue, 7 Aug 2007 10:22:22 +0200:
> > Domains which choose a default policy are not required to publish
> > a policy (or SSP) record. Penalizing them for choosing not
> > to explicitly publish what is a default anyway, would be unjust.
> I think that's not the point.
> The point is to distinguish between using DomainKeys
> and not using DomainKeys.
Right. And the only two things that matter here are (not going
into third-party signing difficulties here):
- either a mail carries a VALID signature from the sender
(in which case his reputation may be taken into account),
- or else, the published policy indicates the sending domain
is signing ALL mail (in which case we know a message is fake).
Any other combination is equivalent to a classical mail situation.
Not being so offers a free gift to spammers, e.g. making a distinction
between an invalid and absent signature (a spammer just inserts some junk
signature), or making a distinction between explicit neutral and implicit
(defaulted) policy (a spammer just fakes any sending domain which has
a signing policy that suits him).
> At the moment a domain that doesn't
> use domainkeys is looked at as having default policy "may sign some".
> Frankly, I find this whole portion in the RFC badly flawed. It's an
> implicit opt-in which is considered bad in other circumstances (you know
> what I mean ...). I consider it bad here, too.
The default falls back to a classical non-signed mail situation.
Mark
Re: DK_POLICY_SIGNSOME
Posted by Kai Schaetzl <ma...@conactive.com>.
Mark Martinec wrote on Tue, 7 Aug 2007 10:22:22 +0200:
> Domains which choose a default policy are not required to publish
> a policy (or SSP) record. Penalizing them for choosing not
> to explicitly publish what is a default anyway, would be unjust.
I think that's not the point. The point is to distinguish between using
DomainKeys and not using DomainKeys. At the moment a domain that doesn't
use domainkeys is looked at as having default policy "may sign some".
Frankly, I find this whole portion in the RFC badly flawed. It's an
implicit opt-in which is considered bad in other circumstances (you know
what I mean ...). I consider it bad here, too.
Kai
--
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com
Re: DK_POLICY_SIGNSOME
Posted by Mark Martinec <Ma...@ijs.si>.
Dan,
> > Yes, this is normal. An absence of a policy record implies
> > a default policy, which is a neutral 'signs some mail'.
>
> True, but perhaps, SA could hit a different rule when encountering the
> EXPLICIT "signsome" policy versus the IMPLICIT, i.e.
> DK_POLICY_SIGNSOME_DEFAULT or something similar? (With corresponding
> explanation tests).
Domains which choose a default policy are not required to publish
a policy (or SSP) record. Penalizing them for choosing not
to explicitly publish what is a default anyway, would be unjust.
Favourizing a domain just for having a published neutral policy record
would soon get noticed by spammers, who are the first to take advantage
of any such opportunities.
Mark