On Sun, May 4, 2014 at 8:40 AM, John R Levine <johnl(_at_)taugh(_dot_)com>
wrote:
FWIW, I agree with Arnt on this one. In fact the case has yet to be made
that
DKIM-based whitelisting of list mail is more than a nice-to-have; per-user
whitelisting on the basis of List-id alone along with the usual checks for
blatent viruses and whatnot seems to work pretty well.
Currently, I agree with you. But if List-ID always meant to skip the
DMARC rejection checks, how long would it take for every paypal.com phish
to include a List-ID? Presumably competent filters would subsequently
catch it, but it would make DMARC, which is intended to be a cheap
anti-phish technique, totally pointless.
For paypal and other institutional senders, wouldn't it suffice to have a
special DMARC policy that forbids mailing lists from forwarding messages?
Then anyone who receives a message from such a sender that also has a
List-ID can still reject the message, and compliant mailing lists can
reject before forwarding.
Then the problem boils down to impersonating both an individual sender and
a list to which he is supposedly subscribed. If a List-ID is present and
the list exploder has re-DKIM-signed the message, a DMARC check that the
message really did come through the list exploder should be enough?
Filters could combine this with a day-old-bread strategy to treat brand-new
List-ID sources as suspicious until a reputation is established.
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822