Re: DMARC: perspectives from a listadmin of large open-source lists
2014-04-08 01:28:54I think the original scenario you described could be implemented by bad players as follows: - set up a mailman instance with DMARC support, that forges the XOAR header. - Ensure that the mailman outgoing mail passes SPF+DKIM for the domain in question.
Right, except it doesn't even have to be mailman, just spamware that creates headers that look like mailman's. Like I said, if you trust the sender to be a real list, deliver its mail. If you don't, don't. I don't think there are any major conceptual challenges here.
Those uses shouldn't be considered valid, and NYTimes has already moved away from that, at least as of my test 5 minutes ago.
Well, the WSJ does. This is a perfectly reasonable way to send mail, endorsed by decades of practice.
|Date: Tue, 8 Apr 2014 02:24:13 |From: "wsjol(_at_)johnlevine(_dot_)com" <wsjol(_at_)johnlevine(_dot_)com> |To: johnl(_at_)taugh(_dot_)com |Subject: WSJ.com - Ukrainian leaders, U.S. slam Russia over new unrest;The envelope bounce address is <bounces(_at_)wsjemail(_dot_)com>, again perfectly reasonable.
By implement DMARC, I meant implement XOAR headers; VERP is too useful
As described above, XOAR is not useful because you can't trust it. Regards, John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail.
smime.p7s
Description: S/MIME Cryptographic Signature
| Previous by Date: | Re: DMARC: perspectives from a listadmin of large open-source lists, Brian E Carpenter |
|---|---|
| Next by Date: | Re: Yahoo breaks every mailing list in the world including the IETF's, S Moonesamy |
| Previous by Thread: | Re: DMARC: perspectives from a listadmin of large open-source lists, Robin H. Johnson |
| Next by Thread: | Re: DMARC: perspectives from a listadmin of large open-source lists, ned+ietf |
| Indexes: | [Date] [Thread] [Top] [All Lists] |