[Mailman-Developers] dkim and email list software - potential solution
Ian Eiloart
iane at sussex.ac.uk
Wed Oct 7 16:02:14 CEST 2009
--On 8 October 2009 00:21:08 +1100 Daniel Black <daniel at cacert.org> wrote:
>
>> we know the message came from a mailing list,
> this actually is the hard bit. Options for the recipient verifier are:
> 1. has a List-ID (or other signature) - must be a mailist. This allows
> email spoofers just to add List-ID tags or a simple email characteristic
> to bypass checking.
> 2. manage a whitelist of maillists that have subscribers in the domain,
> that can't be easily spoofed. Pretty easy for small domains but many
> thousand user bases requires more admin time or run the risk of a user
> whitelisting a spoofer IP address.
> 3. originator specified third party signatures - discussion (re)-starting
> on IETF WG list on this. Bit labour intensive on the sender part.
> (http://mipassoc.org/pipermail/ietf-dkim/2009q4/thread.html)
Well, my reputation assessment scheme says you should check the DKIM
signature added by the list's domain, if there is one. You only trust the
list if you have reason to.
--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/
More information about the Mailman-Developers
mailing list