RE: DMARC and yahoo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> The issue with @yahoo.com and DMARC is not the @yahoo.com users' ability 
> to receive mail, it's their ability to send mail to the list with From: 
> *@yahoo.com and have it be received by list subscribers who implement 
> strict DMARC policies which honor Yahoo!'s p=reject.
>
> It's not clear how setting the @yahoo.com users to digest mode helps 
> this situation at all.

It probably does not. Trying analyze the various positions with a cool head, the obvious conclusion is that hard problems don't have easy answers.

The current mailing list practice has the mailing list as sender, and the original message composer described in the From field. The receiver sees something like:

   Sender: ietf <ietf-bounces@xxxxxxxx> 
   From: Christian Huitema <huitema@xxxxxxxxxxxxx> 
   …

Of course, that particular construct could easily be abused. A phishing message does not differ much from a mailing list message:

   Sender: postmaster <postmaster@xxxxxxxxxxxxxxxxxxx> 
   From: Christian Huitema <huitema@xxxxxxxxxxxxx> 
   …

I understand that the DMARC "alignment" policy is meant to protect against that by requesting that sender domain and from field match. The problem is that a mailing list would then have to invent a new from field, letting the recipient see something like:

   From: Christian Huitema <ietf-christian-huitema@xxxxxxxx>
   Reply-To: Christian Huitema <huitema@xxxxxxxxxxxxx>
   …

The obvious issue is that this particular construct is also quite friendly to phishing. The phishing message would look like:

   From: Christian Huitema <christian-huitema@xxxxxxxxxxxxxxxxxxx>
   Reply-To: Christian Huitema <huitema@xxxxxxxxxxxxx>
   …

If we teach users to ignore the bizarre email address for the mail list messages, we are also teaching them to ignore the bizarre email address in the phishing messages. I doubt that this was the intent of the DMARC authors. 

-- Christian Huitema

(I wrote a longer version of this email at http://huitema.wordpress.com/.)






[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]