Alessandro Vesely writes:
The tale goes that large mailbox providers want ARC as a tool to filter mail streams from lists that don't do a good filtering themselves. ARC, they say, allows to attribute reputation correctly. However, I don't think they can tell who a message is from, after it has been munged.
I don't see why they would care who the message is from. They know who added the ARC seal who claim to have validated the original From. If any of them are highly trusted, or the whole chain is unbroken and none is known untrustworthy, that should be good enough.
In that respect, From: munging hampers ARC.
Sure, a little, especially if the recipient doesn't understand the theory. On the other hand, there are only a few MLMs that munge, they should be able to extract the original address in most cases.
A MLM would continue From: munging unless a receiver is able to tell it to not do it.
Sure, but as you say you need to trust the users, in this case, the receivers. If it's all I know about them, I wouldn't trust a user who uses a "p=reject" provider to be clueful enough to make that decision safely.
I see that archived messages are not munged. How come? Isn't the archive a regular subscriber?
In general, no, they're not. Messages are sent to archive services before the munging process takes place. There are services like mail-archive.com where you interface with the archiver as a regular subscriber, but Pipermail (Mailman 2) and HyperKitty (Mailman 3) both short-circuit the pipeline.
At worst, one could set up two lists, fed by the same stream, one with munging enabled and the other not, letting users subscribe to the one they prefer.
To be honest, while I'm at best 50% willing to implement the user option, I could easily be persuaded by a few experiments with the dual list proposal. This could be implemented almost transparently for the subscriber (except at subscription time) by using an umbrella list.
A list can set the Author: header field by copying From:.
This isn't a problem. I would be perfectly happy to accept a patch to handle Author today as long as it's RFC-ly correct, which looks straightforward.
MUAs won't notice Author: fields any time soon.
Then they're useless.
- They need to display them, or most users won't be able to use them in any way.
- It's important that they be included in automatically formatted replies, and the munged From ignored.
- You'd hope From would either not be displayed or the content of the Author field substituted into From.
Translated into Scum-of-the-Earth-Spammer:
You can use this header to send "referred by someone in victim's contact list" (that you stole from Yahoo) spam and it will bypass DMARC v1 because you can use an aligned From. All-Hail-Author!They're doing that with From:, and it works fine. It is very hard for MUAs to tell spoofed From:'s,
True, but DMARC should give essentially zero false negatives. If it says from is aligned, and the sending domain is reliable, it's not spoofed.
Then, some people hold that even writing THIS IS PHISHING loud and clear won't prevent users from opening and clicking that link. Darwin will tell...
See the recent Twitter thread by @FatManTerra, who performed a very cruel experiment where he advertised an obvious scam "for the purpose of making people scammed by Terra whole" and amassed > $100,000 in BitCoin in 24 hours. (He returned it all, but it's unethical and must make his victims feel like idiots. I don't disagree with their self-assessment, but it wasn't nice to rub their noses in it.)
Implementing and deploying ARC is not enough, you also need to trust the ARC signer/ sealer.
I see it the other way around: once people have implemented ARC, you have the opportunity to serve your users by trusting the ARC sealers. We didn't really have that before, because of the ease of creating fake mediators.
ARC won't be effective until it has been deployed at more than 60% of SMTP servers and that's not a problem. :-) https://www.rhyolite.com/anti-spam/you-might-be.html#senior-IETF-member-5
I doubt 60% of servers will implement within the decade, but I guess a lot more than 60% of legit mail is handled somewhere by an ARC- conforming server. Google has long been a powerful advocate of ARC. I think there's hope.