Re: DMARC: perspectives from a listadmin of large open-source lists

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think the original scenario you described could be implemented by bad
players as follows:
- set up a mailman instance with DMARC support, that forges the XOAR header.
- Ensure that the mailman outgoing mail passes SPF+DKIM for the domain in question.

Right, except it doesn't even have to be mailman, just spamware that creates headers that look like mailman's. Like I said, if you trust the sender to be a real list, deliver its mail. If you don't, don't. I don't think there are any major conceptual challenges here.

Those uses shouldn't be considered valid, and NYTimes has already moved
away from that, at least as of my test 5 minutes ago.

Well, the WSJ does. This is a perfectly reasonable way to send mail, endorsed by decades of practice.

|Date: Tue, 8 Apr 2014 02:24:13
|From: "wsjol@xxxxxxxxxxxxxx" <wsjol@xxxxxxxxxxxxxx>
|To: johnl@xxxxxxxxx
|Subject: WSJ.com - Ukrainian leaders, U.S. slam Russia over new unrest;

The envelope bounce address is <bounces@xxxxxxxxxxxx>, again perfectly reasonable.

By implement DMARC, I meant implement XOAR headers; VERP is too useful

As described above, XOAR is not useful because you can't trust it.

Regards,
John Levine, johnl@xxxxxxxxx, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

<<attachment: smime.p7s>>


[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]