DKIM becomes more official

Vernon Schryver vjs@calcite.rhyolite.com
Sat Oct 13 04:38:47 UTC 2007


> From: John L 

> > I think they are being disingenuous, and that their real purpose
> > is to get email from Ebay/Paypal delivered to Yahoo mailboxes whose
> > owners would otherwise blacklist everything with any hint of
> > Ebay/Paypal.
>
> I just came back from the MAAWG meeting where live people from both Yahoo 
> and Paypal were there.

I'd be worried about the end of life as we know it if they weren't.
What went on at that (or any) conference will turn out in 12 months to
have very little significance whatsoever beyond the money spent attending.
MAAWG has been going on long enough and accomplishing little enough
that it is about time for it to be replaced by the next incarnation of
the let's-get-together-and-talk-spam-to-death charade.

Accomplishing something involves more than agreeing in principle to
maybe do something someday, reports about the distribution of sizes of
pieces of fallen sky, reports from law enforcement about what they might
consider doing given an appropriation, descriptions of laws that will
be passed unless an election or a change of season intervenes, reports
of what a new authentication or other protocol might do if it were
designed and implemented, and other fun talk.

See http://www.maawg.org/home and especially the recent press release
http://www.maawg.org/news/maawg071002
That ends with this game of buzz word bingo:

    The Messaging Anti-Abuse Working Group (MAAWG) is where the
    messaging industry comes together to work against spam, viruses,
    denial-of-service attacks and other online exploitation. MAAWG
    (www.MAAWG.org) is the only organization addressing messaging
    abuse holistically by systematically engaging all aspects of
    the problem, including technology, industry collaboration and
    public policy. It leverages the depth and experience of its
    global membership to tackle abuse on existing networks and new
    emerging services. Headquartered in San Francisco, Calif., MAAWG
    is an open forum driven by market needs and supported by major
    network operators and messaging providers.



> > It's been years since every mailbox in my vicinity
> > stopped accepting anything claiming to be from Ebay/Paypal.
>
> Don't be silly.  Real mail systems have to accept the mail their users 
> want, even when it's risky. 

It would be almost as silly to suggest that real MTAs reject all
mail from Ebay/Paypal is it would be to suggest that zillions of
"wetware" filters don't have much the same effect.


>                              Ebay and Paypal happen to send all their mail 
> from fixed places so you can do a pretty good job of recognizing spoofs by 
> looking at the addresses in received headers,

which is irrelevant to essentially all end users and their wetware filters,
                        
>                                               but signature checking 
> considerably reduces the risk beyond what faux SPF can do.

More important, it offers hope to Yahoo/Ebay/Paypal of getting some
of those wetware filters detuned.  If the phishing for those names
went down, Yahoo users might stop just assuming that any incoming
Ebay/Paypal mail is forged.


> > The next question one ought to ask is what email Ebay/Paypal wants
> > delivered.
>
> Most of it is transactional.  I know they have a reputation as famous 
> spammers, but the reality is that most of their mail is related to stuff 
> that their users are doing.

I didn't say Ebay/Paypal is a spammer; spam is unsolicited bulk email.
If you've signed up for junk, it's not spam.
There are many notions of "transactional" and "related to stuff that
their users are doing."  As I said, my personal experience with Paypal
was that much of it was "transactional" and "related" in the sense of
trying to get me to do more transactions.  Not spam, but junk.


> > My recollection of Paypal is that email is not really needed, and that 
> > the reason Paypal wanted to use email was for advertising.  I've never 
> > used eBay, but I wonder if the same applies, whether you strictly need 
> > email *sent by eBay* to participate as buyer or seller.
>
> I suppose if you had nothing better to do, you could check their web sites 
> three times a day, but it's a lot more convenient for them to send you 
> mail and tell you when someone's sent you money, bought something you've 
> listed, or your auction bid's been accepted.

That makes sense only if you check your email more often than you
check the web.  Isn't IM the 21st Century thing?

Besides, I thought the standard drill for serious eBay players is
to sit on the web because eBay email is far too slow.

And what's that about transactional email that does not have guarantees
of confidentiality, authentication, integrity, and maybe even
non-repudiation?  eBay cares about its imitation (because it lacks that
crypto stuff) transactional email to whip up old fashioned, 19th or
20th Century, buyer/seller auction mania, instead of getting goods
bought and sold at mutually satisfying prices.

>                                               I have stuff listed on 
> ebay's half.com that can sit there for months before someone buys it.

If you want a sale site where things sit not for months but forever,
I'll whip up something.  In other words, I doubt the difference between
half.com and eBay is only email vs. web transactions.


Vernon Schryver    vjs@rhyolite.com



More information about the DCC mailing list

Contact vjs@rhyolite.com by mail or use the form.