IETF Logo Mail Archive

[dispatch] draft-levine-herkula-oneclick, additional security consideration

Roland Turner <roland@rolandturner.com> Thu, 01 December 2016 03:46 UTC

Return-Path: <roland@rolandturner.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2159F129441 for <dispatch@ietfa.amsl.com>; Wed, 30 Nov 2016 19:46:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.686
X-Spam-Level:
X-Spam-Status: No, score=-4.686 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=rolandturner.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fmHBm3MsCd7X for <dispatch@ietfa.amsl.com>; Wed, 30 Nov 2016 19:46:17 -0800 (PST)
Received: from sg.rolandturner.com (sg.rolandturner.com [175.41.138.242]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FC91129428 for <dispatch@ietf.org>; Wed, 30 Nov 2016 19:46:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=rolandturner.com; s=0.rolandturner.com; h=Content-Type:MIME-Version:Date:Message-ID:Subject:From:To; bh=wLlRT6/tog9ZwAOspFGXj6DAzMbUNqmjC6w20GQiFPI=; b=B2Jhe6+iAluT+t/ZeX2oRCXaG8NIsK8pfHon+Hrb8mfC0zLA6Q7KWwNX3T5RMr7SLE+JdDIzMwAL67weObrFi9CZ/CqB9tzBAEWDfEKjzNFu/Pf0ADAQQxSQ9yt9HxUJJpFCTLAfIlMF1xoPXxl7BxfFi6fDfRS8quGpKuPhDow=;
Received: from [116.12.149.133] (port=59168 helo=[10.100.1.141]) by sg.rolandturner.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from <roland@rolandturner.com>) id 1cCIK7-00083K-Nb for dispatch@ietf.org; Thu, 01 Dec 2016 03:46:15 +0000
To: dispatch@ietf.org
From: Roland Turner <roland@rolandturner.com>
Message-ID: <724a13e5-e422-b55c-2b36-ba3e63620e48@rolandturner.com>
Date: Thu, 01 Dec 2016 11:46:15 +0800
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------A3CDEF25135CFC817E3E6ED0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/bNA3KjxhZwJ8KkqDEC4q8bjtw5U>
Subject: [dispatch] draft-levine-herkula-oneclick, additional security consideration
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 03:46:19 -0000

The Security Considerations section mentions potential use of the 
mechanism to test whether an email address is valid, but does not 
address the probing of spam filters. This may well be a moot point given 
the widespread use of seed boxes by both legitimate senders and 
spammers, however I recall that when Gmail first introduced an 
unsubscribe button (in the dialogue box that could pop up if the user 
clicked This is Spam), they established three criteria:

  * that a List-Unsubscribe: header was present
  * that the message authenticated, and
  * that the sender was in good standing in terms of its complaint rate.

It may be argued, with some strength, that the third item really makes 
no difference, but it would appear to be a relevant consideration to 
address in Security Considerations, and perhaps an option to suggest.

- Roland

v2.23.0 | Report a Bug | By Email