On Monday, December 26, 2016 5:34 PM, John Levine wrote:
By that argument, there's no excuse for the big mailer providers for
bouncing List mail because of DMARC. They could just reference the
List-ID field, and display something like this:
<From> via mailing list <list-id header contents>
Great idea. Because there is no possibility whatsoever that if mail
systems did that, bad guys would put in fake List-IDs to get their
phishes delivered.
Of course, they will. A system like that only works if the MUA is reasonably
sure that the mail was in fact sent by the specified "sender", and that the
sender was some reputable list forwarder that the user trusts.
But your mail and many comments on this lists point to the huge responsibility
of the MUA with respect to phishing. Phishing is about duping the user by
displaying misleading information. The effective defenses have to rely on
proper user interface design, using all the information in the user context.
Attempting to do that by just using network rules makes the network more
complex, but cannot solve the problem.
-- Christian Huitema