Re: Realistic responses to DMARC

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



In article <9AD6AAD6812D3B9F8379226B@PSB> you write:
>+1.  FWIW, I have to agree with Ted here.    When a large mail
>provider knowingly and unrepentantly does something that
>violates well-established and well-defined standards and fouls
>up mailing lists for others, especially when that provider also,
>within their business model, pushes a "forum" service that is an
>alternative to those mailing lists, ...

While I am no fan of what Yahoo has done, I think we should limit the
conspiracy theorizing.  I have it on excellent authority that the
reason Yahoo turned on DMARC was entirely the user complaints about
spam with forged addresses taken from stolen address books.  It had
nothing to do with Yahoo Groups.

Yahoo management knew this would screw up every mailing list in the
world, and they explicitly didn't care.  I'm reasonably sure that the
people who run Yahoo Mail had different opinions but they didn't get
to make the decision.  While it is true that it would not be hard to
circumvent DMARC, crooks are as lazy as the rest of us and I continue
to be surprised at the amount of phish stopped by DMARC's simplistic
checks.

I hear that the amount of legit mail that DMARC breaks is well under
1% of the total non-spam mail at large providers, and even though they
know it is mail that the recipients are very interested in, it's hard
to make a business case for doing something for that 0.5 % unless they
are very sure it won't let a lot of the phish back in.  That's the
rationale for ARC, which is a complicated crock, but lets the
provlders make a reasoanble guess about what's non-spam from mailing
lists.  (FYI, they also tell me that legit lists leak spam all the
time due to compromised or forged subscriber accounts, so it has to be
more than just whitelisting the lists.)


>If the net effect is that users of that provider's systems have
>to find another mechanism to participate in IETF work, that is
>the fault of the provider, not the IETF.   ...

I appreciate the theory, but we also need to consider how much blood
loss we are willing to accept to cut off our noses to spite our faces.
It is pretty clear that within the next year Gmail will turn on a
DMARC policy, too, and I expect other large mail providers to turn it
on, too.  

If we tell people, sorry, you can't participate in the IETF using the
giant mail providers you use for everything else, what do you expect
the response to be?  Wow, what a bunch of noble principled idealists,
or wow, I don't have time for this nonsense, maybe I'll go work on
some open source stuff on github instead.  We have enough trouble
recruiting people now without putting more roadblocks in their way.

A few of us have been doing some experiments on DMARC avoidance,
looking to see if there's something we can do that will survive DMARC,
not screw up the mail too badly so it's legible and recipients can
reply reasonably, while uglifying it to remind people whose fault it
is.  Some of the possibilities involve wrapping the real message in an
outer one, some involve changing the From: address to a mutated
version of the sender's address (*not* the list's address.)

Maybe ARC will work well enough that we won't have to do anything, but
I expect ARC will be a half solution at best, since it assumes
recipient MTAs have a rather sophisticated filter system that can
handle all the stuff in the ARC chain of forwarding headers.

R's,
John





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]