[Cryptography] Well Known Bad Idea: ask users to make security decisions, or If you *work* for Apple, please update your email software

John Levine johnl at iecc.com
Thu Oct 9 18:21:47 EDT 2025 

It appears that Mu <mu at zuqq.me> said:
>-=-=-=-=-=-
>On Thursday, October 9th, 2025 at 1:43 PM, Jerry Leichter <leichter at lrw.com> wrote:
>
>> Challenge should you decide to accept it: Use an LLM to actually do something useful and
>translate header lines into a format that people without years of experience in decrypting this
>stuff can use to actually get some reasonable indication of message bona fides.
>> -- Jerry
>
>I find pasting headers into https://mha.azurewebsites.net/pages/mha.html ...

Hm, this is like falling into a wormhole to 1997.

Anything an automated header analysis package can do, your mail provider's spam
filters should already have done. If your mail provider is delivering a lot of
spam or phish into your inbox, that says their spam filtering isn't very good
and you should complain. 

They should be able to do much better filtering than you can because they can
see the whole mail stream at once. For example, they can see that a sender that
doesn't normally send bulk mail suddenly sent a blast, or that a whole lot of
similar messages are arriving from different places which means a botnet. Like
the subject line says, asking users to make security decisions is a WKBI.

Back in the 1990s spam filters weren't very good and people responded by asking
for ever more complicated knobs and dials to try to tune them. Then when filters
got better, those demands went away. On large mail systems today the only thing
you can do is to tag mail as junk/not-junk to help them tune their statistical
models.  If your provider's filtering is lousy, tell them to improve it.

Other than the fact that DKIM uses cryptographic signatures, this seems rather
off topic so I'll stop now.

R's,
John

PS: I tried to reply directly to Jerry but his mail system rejected my mail
with  a mystifying "550 Invalid message header syntax" error.  He can of
course run his mail system any way he wants, but I am quite sure my message
headers are OK, and this reminds us that spam filtering is hard and can fail
in both directions.

More information about the cryptography mailing list