[Mailman-Developers] dkim and email list software - potential solution

Thu Oct 8 08:07:30 CEST 2009

Daniel Black writes:

 > > You're saying that with ADSP, that's not adequate unless Mailman
 > > first rewrites the "From:" address.

 > yes

In that case it is very often a violation of RFC 733 (most familiarly
known as RFC 822, also STD 11, whose most recent incarnation is RFC
5322).  Surely you already know that!  That's a *lot* of history of
best practice that you are dismissing, it's not going to be acceptable
to a lot of folks,
<RANT>
and in general sucks for users of discussion lists.  Personally, I'd
much rather have my posts dropped.  "Oh yes, your ISP regularly drops
mail because they use broken spam-fighting practices.  It's not just
us, it's every list that conforms to one of the oldest Internet
standards.  If you want to receive your list mail, either subscribe
with an address hosted at a decent ISP, or get your current one to fix
their spam filters."  Most of my users are well-informed, and quite
sympathetic to that argument because they've seen it happen any number
of times.  I really would not appreciate it if "worst practices" were
to become widespread because they cater to the unwashed who just don't
want to receive spam and don't care who pays the cost (as long as it's
not them).
</RANT>

Wouldn't it be more straightforward (not to mention that it would work
for many more lists) to have an LDSP RFC, whose first draft simply
takes the ADSP RFC and substitutes "mailing list" for "author"
everywhere, and "RFC 2369 and RFC 2919 headers" for "From"?  (The
point of multiple headers is that "active" headers like List-Subscribe
could contain bogus URLs.)  A second draft might add "If the list's
host implements ADSP itself, it could also sign the author headers
relevant to ADSP."  Perhaps if it is known that the DKIM signature of
the author's host is going to remain valid, you *don't* sign it,
allowing the recipient to authenticate both the author and the list.

The only real problem with this is getting the big ISPs to implement,
but that's nothing new.  In fact if it's as easy as adding routines to
process the RFC 2369 + RFC 2919 set of headers "just like" ADSP
handles "From:", I bet most would be happy to sign on.

 > > Some lists are configured to [rewrite From:] already,

 > I didn't know this. Anyone know who these are and if they incur any
 > problems as result of this rewrite?

Announce lists are special-purpose lists, ironically mostly used for
something very similar to spamming (except of course, legitimate
"announce" lists are willingly subscribed to).  These are quite
common; they also already fit into the ADSP framework quite well, so
are basically irrelevant to your proposal.

Anonymous discussion lists are special-purpose lists used by folks
like victims of domestic violence.  These are a very good thing IMO,
but again they are not a model for other lists.

 > If you are blindly assessing an email without knowledge that is a
 > mailing list what do you see?

If the list doesn't implement any of RFC 2369 (published 1998) or RFC
2919 (published 2001), the joke is on it.  Otherwise you shouldn't be
blind.  I think it is reasonable to assume that mailing lists are
easily identifiable by the presence of those headers.  For that
precise reason, I propose that they be used instead of "From:" for
ADSP-like authentication of mailing lists.

This is so obvious that I suspect there's some "good" reason why it
won't work, but as long as a harmful alternative is being suggested,
may as well give it a try.