ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: (DMARC) Why mailing lists are only sort of special

2014-04-16 18:26:21
from [Pete Resnick] [Permanent Link] 
Replying to two in one. They're sorta related.

On 4/16/14 7:58 AM, Michael Richardson wrote:


It's clear to me that we need at least a non-WG mailing list for this
*technical* discussion.
Yeah, we are starting to move into solution space, which needs to be discussed in a specific technical forum. I'll try to keep it short. 


so, what you are saying is that based upon the (SMTP) To: address, the sender
needs a signal that this is a mailing list, and some way to react.
Maybe this could be combined with various SMTP DANE mechanisms, or at least,
maybe "Additional RR" could return that kind of information.
The originator (well, more to the point, the originator's mail server) doesn't need a signal that it's a mailing list; it's simply that the destination makes an "if I forward the mail, I'll be including this" piece of data available, and the originator's server can then include that in the signature of the message. I was thinking this could be in some special kind of DMARC (or whatever) record that lived in the mailing list's domain and could be queried by the originator's server. 


Running code.  we need someone to fund and participate in an experiment.
  (cf: other thread about not participating in SDOs anymore)
Bah. I do need to respond in that other thread, but I've become more sanguine about standardization after Vidya's article: I agree with a good deal of what she says, and I think she's categorized the problem correctly. Her having done that, I now see paths forward. More on the other thread. 

On 4/16/14 3:57 PM, John R Levine wrote:
How do I distinguish the nice mailing lists at ietf.org from random evil spammer domains sending spam with List-ID headers?
Every proposal I've seen like this ends up tripping over the fact that there is no technical way to distinguish between mail from real mailing lists and spam that looks like it's from mailing lists.
At least in the back-of-the-envelope scheme I suggested, the receiver doesn't need to distinguish mailing lists: The originator's system finds out where the mail is going, gets some information from the destination, and signs that and sends it with the message. The mailing list sends that along to the recipients. When my (one of the recipient's) server looks at that info, it determines that the originator sent the message directly to the mailing list, and I can tell that the mailing list sent it to me. My server doesn't need to determine whether the mailing list is "evil"; it knows that the person with the (e.g.) yahoo.com address sent to that mailing list from a yahoo.com server. That's what it cares about.
(And again, anyone can choose to continue to say, "No redistributing this message". The mailing list, or the eventual recipients if the mailing list doesn't play, should bounce the message in that case.) 

pr

--
Pete Resnick<http://www.qualcomm.com/~presnick/>
Qualcomm Technologies, Inc. - +1 (858)651-4478
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: (DMARC) Why mailing lists are only sort of special, Miles Fidelman
Next by Date:  Gen-ART review of draft-ietf-bfd-mib-17, Black, David
Previous by Thread:  Re: (DMARC) How a whitelist would work, was Why mailing lists, John R Levine
Next by Thread:  Re: (DMARC) We've been here before, was Why mailing lists, John R Levine
Indexes:  [Date] [Thread] [Top] [All Lists]