Currently, I agree with you. But if List-ID always meant to skip the
DMARC rejection checks, how long would it take for every paypal.com phish
to include a List-ID? Presumably competent filters would subsequently
catch it, but it would make DMARC, which is intended to be a cheap
anti-phish technique, totally pointless.
For paypal and other institutional senders, wouldn't it suffice to have a
special DMARC policy that forbids mailing lists from forwarding messages?
I think this leads to an infinite regress. AOL and Yahoo have a real
problem: crooks broke in and stole people's address books, and are now
sending spam from AOL and Yahoo addresses to recipients in the users'
own address books. Spammers are not totally stupid, and if is a
flavor of DMARC they could bypass with a List-ID, they'll add a
List-ID. Even worse, since the volume of spam is vastly greater than
the volume of legitimate mail, most mail with List-ID would be spam,
and it would perversely become a fairly good spam indicator. If
you've seen the X-Anti-Abuse header added by web hosting control
panels, it's suffered the same fate since spammers have figured out
how easy it is to break into dusty blog and CMS sites and spam from
them.
The basic problem here is that anything a list can do to say "I am a
list", a spammer can do, too. You can only make credible assertions
to decrease the reputation of your mail, e.g. SPF's if it's not one of
these IPs, it probably isn't me, or to say "this is really from me", so
people can apply whatever opinion they already have of you.
The permission to forward hack is a little different since it's not
the list making the assertion, it's the list in combination with the
original sender, applicable to one specific address via one forwarder
for a limited time.
R's,
John
_______________________________________________
ietf-822 mailing list
ietf-822(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-822