On 04/13/2014 02:10 PM, John Levine wrote:
Building on the FROM_IS_LIST idea, rather than having the From be
rewritten to simply "list(_at_)example(_dot_)com" why not establish a convention
(dare I say "standard?") to encode the real from address and list to the
left of the @ sign? The rub with DMARC/SPF/DKIM is the domain itself,
not the whole address.
This is a minor tweak of the "authenticated phish via on-behalf-of" proposal.
It's not, actually. The defects in XOAR are obvious even to me.
Spammers can send mail that looks a lot like mailing lists, you know.
What does that have to do with anything? If the message authenticates
via DMARC/SPF/DKIM then that's a point in its favor in terms of it not
being spam. If the message comes through with a From: that "looks like a
mailing list" who cares? Even if that message passes all of the other
spam filtering mechanisms between it and the user, the user is likely to
know if they are signed up for a mailing list that the spam message is
trying to fake, even if it isn't obvious on its face that it's spam to
start with.
From: Paypal Security
<security(_at_)paypal(_dot_)com(_dot_)lists(_dot_)rbn(_dot_)ru>
DMARC/SPF/DKIM will actually benefit that message if it has a valid
signature. Nothing "mailing list" related about it.
But wait, I have an even better idea, Nobody ever thought of this one!
From: Paypal Security
<security%paypal(_dot_)com(_at_)lists(_dot_)rbn(_dot_)ru>
Same here. And again, if the message comes through with a valid
signature it's less likely to get caught as spam.
Meanwhile, I'm still not proposing that we train users, or even
anti-spam software to "recognize" or "validate" mailing list addresses.
What I'm proposing is a way to send mail from a list with From:
@domain-of-list.tld so that it can pass DMARC/SPF/DKIM, and allow the
left side of the @ sign to identify the actual sender of the message.
Doug