[Mailman-Developers] Two more DMARC mitigations
Stephen J. Turnbull
stephen at xemacs.org
Thu Jun 12 23:42:08 CEST 2014
John Levine writes:
> * Forwarding signature
Thanks, I was about to write something like this!
> * Submit and sign
>
> When a user at a p=reject signs up for a list, you demand an OAUTH API
> token if the the provider supports it, otherwise their host system
> password.
-1 on the password thing. It's too close to phishing, imposes serious
privacy issues on Mailman hosts, and makes them targets for attack.
This is too dangerous to be even an optional feature. Third party
patches are OK, of course, but stock Mailman shouldn't do this.
I'm fine with annoying the hell out of Yahoo! and AOL users with an
OAuth request on every post.
> This is less nice, it's a lot of software development.
I don't think prototyping this is all that hard. We already have
logic for checking DMARC thanks to dmarc_moderation_action. We just
add the OAuth check to that, and if it fails, proceed to
dmarc_moderation_action.
More information about the Mailman-Developers
mailing list