On Tue, Apr 08, 2014 at 12:21:46AM -0400, John R Levine wrote: > You would have to track which forwarders are well behaved and add > valid X-O-A-R headers, but if you can do that, you can skip the header > analysis and just whitelist the mail from the well behaved forwarders. The XOAR proposal does specify: | The X-Original-Authentication-Results header is only useful if the | forwarder is trusted. The forwarder is free to modify the headers and | body of the message however it wishes and can generate new signatures | over arbitrary X-Original-Authentication-Results headers. Thus, the | user SHOULD only trust X-Original-Authentication-Results if the message | was delivered by known good forwarders, and forwarders SHOULD NOT | propagate X-Original-Authentication-Results unless the previous | forwarder is known to be good. | | For the purposes of this memo, a message was delivered through trusted | forwarder if: | - The DKIM signature passes | - The DKIM domain is a trusted forwarder I think the original scenario you described could be implemented by bad players as follows: - set up a mailman instance with DMARC support, that forges the XOAR header. - Ensure that the mailman outgoing mail passes SPF+DKIM for the domain in question. > Note that there are also well behaved things that don't pass DMARC and > don't have any original authentication results to report, with the usual > examples being mail-an-article at the NY Times and Wall Street Journal. Those uses shouldn't be considered valid, and NYTimes has already moved away from that, at least as of my test 5 minutes ago. | MAIL FROM:<emailthis@xxxxxxxxxxxxxxxxxxxx> | RCPT TO:<robbat2@xxxxxxxxxx> | DATA | ... | From: robbat2 <emailthis@xxxxxxxxxxxxxxxxxxxx> | Sender: emailthis@xxxxxxxxxxxxxxxxxxxx | To: robbat2@xxxxxxxxxx | ... > > The problem described WILL vanish when all mailing list apps implement > > DMARC, but until then, it's really broken. > Mailing list apps can't "implement DMARC" other than by getting rid of > every feature that makes lists more functional than simple forwarders. > Given that we haven't done so for any of the previous FUSSPs that didn't > contemplate mailing lists, because those features are useful to our users, > it seems unlikely we'll do so now. By implement DMARC, I meant implement XOAR headers; VERP is too useful to running lists to get rid of. Non-VERP bounce messages are still too generic, even in this modern day. -- Robin Hugh Johnson Gentoo Linux: Developer, Infrastructure Lead E-Mail : robbat2@xxxxxxxxxx GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
Attachment:
signature.asc
Description: Digital signature