ietf
[Top] [All Lists]

RE: DMARC and yahoo

2014-04-20 20:00:48
The issue with @yahoo.com and DMARC is not the @yahoo.com users' ability 
to receive mail, it's their ability to send mail to the list with From: 
*@yahoo.com and have it be received by list subscribers who implement 
strict DMARC policies which honor Yahoo!'s p=reject.

It's not clear how setting the @yahoo.com users to digest mode helps 
this situation at all.

It probably does not. Trying analyze the various positions with a cool head, 
the obvious conclusion is that hard problems don't have easy answers.

The current mailing list practice has the mailing list as sender, and the 
original message composer described in the From field. The receiver sees 
something like:

   Sender: ietf <ietf-bounces(_at_)ietf(_dot_)org> 
   From: Christian Huitema <huitema(_at_)microsoft(_dot_)com> 
   …

Of course, that particular construct could easily be abused. A phishing message 
does not differ much from a mailing list message:

   Sender: postmaster <postmaster(_at_)phishing-domain(_dot_)com> 
   From: Christian Huitema <huitema(_at_)microsoft(_dot_)com> 
   …

I understand that the DMARC "alignment" policy is meant to protect against that 
by requesting that sender domain and from field match. The problem is that a 
mailing list would then have to invent a new from field, letting the recipient 
see something like:

   From: Christian Huitema <ietf-christian-huitema(_at_)ietf(_dot_)org>
   Reply-To: Christian Huitema <huitema(_at_)microsoft(_dot_)com>
   …

The obvious issue is that this particular construct is also quite friendly to 
phishing. The phishing message would look like:

   From: Christian Huitema <christian-huitema(_at_)phishing-domain(_dot_)com>
   Reply-To: Christian Huitema <huitema(_at_)microsoft(_dot_)com>
   …

If we teach users to ignore the bizarre email address for the mail list 
messages, we are also teaching them to ignore the bizarre email address in the 
phishing messages. I doubt that this was the intent of the DMARC authors. 

-- Christian Huitema

(I wrote a longer version of this email at http://huitema.wordpress.com/.)


<Prev in Thread] Current Thread [Next in Thread>