/golf_clap ☺ Especially the bit about, “nearly useless”. It is distressing that almost everyone pays more attention to how the sender describes themselves in a comment than the easily forge-able 822 From: address, and the trivially spoofable 821 MAIL FROM address, and that all of this traffic so easily side-steps SPF, DKIM and DMARC authentication by means of a throw-away domain with all the trimmings that doesn’t even need to bear any resemblance to the target domain being froggered.
We really need a solution for mail validation that goes all the way from ISO 1 thru 7. So many people figure it can just be addressed at one layer, but you need to build a case at each step, and finally present the user with a thumbs-up or down at the presentation layer, but … surprisingly, stunningly little done to address the WHOLE problem. Aloha, Michael. -- Michael J Wise | Microsoft | Spam Analysis | "Your Spam Specimen Has Been Processed." | Got the Junk Mail Reporting Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ? From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Brandon Long Sent: Friday, February 13, 2015 11:53 AM To: Steve Atkins Cc: mailop Subject: Re: [mailop] help with running a listserv and DMARC On Fri, Feb 13, 2015 at 10:51 AM, Steve Atkins <st...@blighty.com<mailto:st...@blighty.com>> wrote: On Feb 13, 2015, at 8:13 AM, Al Iverson <aiver...@spamresource.com<mailto:aiver...@spamresource.com>> wrote: > On Fri, Feb 13, 2015 at 7:46 AM, Steve Atkins > <st...@blighty.com<mailto:st...@blighty.com>> wrote: > >>> Such is life. Personally, I have no problem mangling or blocking messages >>> from users using a domain with a restrictive DMARC policy as needed. >> >> Mangling encourages bad behaviour. Blocking discourages it. > > Blocking, aka rejecting participation from legitimate users because of > their domain, might be easy for hobbyists to stomach, but is not > always the best path for an existing group or enterprise. It leaves > the affected end users feeling hurt and caught in the middle in a > scenario they can't easily change. (They certainly can't force AOL to > change DMARC policy and they may have legitimate reasons as to why > they don't wish to change mail providers.) I agree completely. Sometimes your requirements mean that you have to encourage bad behaviour. But it's good to be clear that that's what you're doing, and that you're making discussion lists less usable (forever) for everyone other than AOL and Yahoo users in the process. Probably because fewer people by several orders of magnitude use discussion lists than are affected by the phishing problems that DMARC and the AOL/Yahoo MSPs are trying to solve. And probably another couple orders of magnitude care about the fact that the From header is now munged or what the PRA is. And phishing has real world financial consequences far in excess of whatever the cost of munging the from header might be. Not to mention real world spamming consequences probably far exceeding mailing list traffic as well. And Gmail does show the Sender information, though only when we think its necessary. And user studies have shown its nearly useless to the majority of users when it comes to preventing phishing. That said, of course any postmaster/listmaster is allowed to run their systems however they wish. Brandon
_______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
