[Bug 1632036] [NEW] Munging report-only DMARC
fuglede
1632036 at bugs.launchpad.net
Mon Oct 10 13:34:57 EDT 2016
Public bug reported:
Hi GNU Mailman folks
This is the first report from here, so do let me know if it's not
hitting the mark in one way or another.
So, as I understand it, DMARC from-munging takes place whenever the
sender has specified a DMARC policy of `p=quarantine` or `p=reject`, but
*not* for the report-only policy `p=none`. I believe that it should
cover the `p=none` case as well, though, as one can otherwise set such
that as a DMARC policy on a self-hosted mail server, send an email to a
GNU Mailman mailing list, and receive reports from the mail servers of
some of the subscribers. Moreover, in some cases, mail servers (such as
personal ones) host only very few email addresses, so that you are
effectively deanonymizing some of the mailing list's subscribers. I
tested this on a Mailman 2.1.23 setup.
Now, due to the way mailing lists work, you could argue that it's not
really an issue that a subscriber can figure out who else subscribes,
but since this information is not readily available in any other way, it
does seem unintentional.
** Affects: mailman
Importance: Undecided
Status: New
** Tags: dmarc munge privacy
--
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1632036
Title:
Munging report-only DMARC
To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1632036/+subscriptions
More information about the Mailman-coders
mailing list