John Levine wrote:
Meanwhile, I'm still not proposing that we train users, or even
anti-spam software to "recognize" or "validate" mailing list addresses.
What I'm proposing is a way to send mail from a list with From:
@domain-of-list.tld so that it can pass DMARC/SPF/DKIM, and allow the
left side of the @ sign to identify the actual sender of the message.
Yes, that's the 1980s percent hack. Do you really think it's a good
idea to reinvent it to get around the defects of the FUSSP du jour?
I agree that it's not plausible to train people to recognize mailing
list addresses. But what you're proposing is to train people to be
phished, by telling them that a rewritten address from something that
looks sort of like a mailing list is equivalent to whatever the
original address was. Given that DMARC is supposed to be an
anti-phishing tool, this completely defeats the point.
R's,
John
It strikes me that the real way to address some of these issues is to
add a few new headers to SMTP - to get rid of the overloading of the
From: and Reply-to: headers associated with mailing lists. An SMTP
extension that would absorb some of the well-known and well-understood
functions of list software.
I have to think a bit about what the full list of headers might be, but
I'd start with:
From: <original author>
List-From: <mailing list>
Reply-To-Original:
Reply-To-List: <set by list manager>
List-Name:
DKIM signature stuff applied to original message
DKIM signature applied by list server
That might be a start toward a real solution that solves both sets of
problems.
Then again - it's late, I'm in the middle doing my taxes - this might
not make any sense at all.
Miles Fidelman
--
In theory, there is no difference between theory and practice.
In practice, there is. .... Yogi Berra