I think the original scenario you described could be implemented by bad
players as follows:
- set up a mailman instance with DMARC support, that forges the XOAR header.
- Ensure that the mailman outgoing mail passes SPF+DKIM for the domain in
question.
Right, except it doesn't even have to be mailman, just spamware that
creates headers that look like mailman's. Like I said, if you trust the
sender to be a real list, deliver its mail. If you don't, don't. I don't
think there are any major conceptual challenges here.
Those uses shouldn't be considered valid, and NYTimes has already moved
away from that, at least as of my test 5 minutes ago.
Well, the WSJ does. This is a perfectly reasonable way to send mail,
endorsed by decades of practice.
|Date: Tue, 8 Apr 2014 02:24:13
|From: "wsjol(_at_)johnlevine(_dot_)com" <wsjol(_at_)johnlevine(_dot_)com>
|To: johnl(_at_)taugh(_dot_)com
|Subject: WSJ.com - Ukrainian leaders, U.S. slam Russia over new unrest;
The envelope bounce address is <bounces(_at_)wsjemail(_dot_)com>, again perfectly
reasonable.
By implement DMARC, I meant implement XOAR headers; VERP is too useful
As described above, XOAR is not useful because you can't trust it.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
smime.p7s
Description: S/MIME Cryptographic Signature