[Mailman-Users] DMARC handler
Stephen J. Turnbull
turnbull at sk.tsukuba.ac.jp
Sun Jun 22 02:28:45 CEST 2014
Ron Guerin writes:
> Jane Doe (jane at example.com) via listname <list at example.net>
> My question now is, is there any reason why re-writing it this way
> would be a bad idea?
First, the DMARC proponents themselves say "don't do that!" (Mostly
for the reasons given below.)
Second, it disrespects the wishes of Yahoo! The reason that Yahoo! is
publishing "p=reject" is because it doesn't want the mailbox to appear
in From: in mail handled by third parties (mostly meaning "spammers"
but also including *you*), because users take that as a sign that the
mail is really from someone they know, making them vulnerable to
phishing and "<friend> recommends" spam. Of course, Yahoo! Groups now
is doing exactly what you propose. This sort of works for now because
the spammers aren't emulating it yet, and MUAs don't put Jane's
picture next to the address.
Third, I bet that "Your Friend <email> via 3rd Party <l-email>"
phishing and spam will appear in short order, people will be
defrauded, and DMARC will be updated to reject on any appearance of a
protected mailbox in From:. Then you'll be back in the same boat. I
wouldn't be surprised if various MUAs (including Yahoo! itself) don't
start handling Yahoo! Groups (and perhaps your list as well) specially
by parsing the address out of the display name and prettifying
addresses in the user's contact list, exacerbating the "Yahoo! is
friendly to fraud" effect.
Fourth, Heaven only knows what Outlook (and other MUAs) will do with
that format of display name, but I bet it ain't pretty.
My take on this is "friends don't let friends use Yahoo!", YMMV.
More information about the Mailman-Users