On Mon, May 22, 2017 at 10:26 PM, Steve Atkins <st...@blighty.com> wrote:
> > > On May 22, 2017, at 10:01 PM, Hal Murray <hmur...@megapathdsl.net> > wrote: > > > >> ARC is the very-near-future solution to much of this. Get your vendors > on it. > >> http://arc-spec.org > > > > I'm missing something. What keeps a bad guy from setting up shop and > > claiming to be forwarding mail and claiming that SPF was valid on the > crap he > > is sending? > Whether you trust the forwarder is up to the receiver, of course. One wouldn't expect to trust every forwarder. How one would learn which forwarders to trust is more complicated, of course. Having a receiver wide whitelist or having the end user or admin whitelist forwarders is certainly the simpler explanation. One could also imagine a registry of well known and correctly working forwarders. Of course, if a forwarder is compromised, then trusting it is moot. Also, the assumption here is for DMARC rejection or possibly other cases like spam reputation calculation. You should still run your spam/av/malware/phishing filters on the messages. > It seems to me that a critical step for doing things right is that the > user > > has to get involved and agree to receive forwarded mail, including all > the > > spam that gets past the spam filters at the forwarder. I think that > would > > work for geeks but it's probably too complicated for the typical user. > Do > > you have to be geeky enough to set up forwarding? > > > > The same holds for mailing lists but you don't have to be a geek to get > added > > to one. I think it would be great if the mail environment asked me if I > > wanted to get added to a list before it started accepting mail for that > list. > > I wonder if a typical user could handle that. > > > > I don't know what happens to transactional mail. > > > > Is this only going to work for big players who generate or receive enough > > traffic so the receiver can develop a useful reputation? > I think smaller operators will be able to use whitelisting quite effectively. You should be able to augment your logging of dmarc rejects or any arc intermediaries and maybe couple with other spam signals and output a list of potential intermediaries to whitelist. I'd also expect that at some point, someone will set up a whitelist rbl for intermediaries as well Brandon
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
