[Mailman-Users] Add PayPal to DNs publishing DMARC p=reject

Stephen J. Turnbull stephen at xemacs.org
Wed May 7 05:46:32 CEST 2014

Barry Warsaw writes:
 > On May 06, 2014, at 02:15 PM, Stephen J. Turnbull wrote:
 > >No, the point is that a phishing mail with
 > >
 > >    From: Chase Bank Customer Service <service at chase.com.invalid>
 > >
 > >will sail right past DMARC, as currently set up.
 > So too will service at chase.com.ru without Mailman ever getting
 > involved, and I bet that will be just as effective at phishing as
 > .invalid.

Et tu, FLUFL?

The point is that if Mailman provides this, it becomes a "standard"
way to get a DMARC p=reject address past DMARC p=reject, and people
*may* develop an "it may say .INVALID, but it's OK" reflex.

As I wrote to John Levine on mailman-developers, if operators want to
experiment with it, that's one thing.  But does *Mailman* want to take
part in encouraging that "it's OK *because* it's .INVALID" meme?  Do
we want to encourage phishers to use something that looks like a
Mailman feature, and have the DMARC WG come back with something that
involves "anything that looks like my domain"?

The DMARC WG advocates putting list-post in "From" in place of a DMARC
p=reject address.  I advocate accepting their advice for stock Mailman,
and avoiding other non-conforming workarounds until the market demands
them.  If it gets noisy, feel free to cave in faster than you did on
Reply-To munging.<wink />


More information about the Mailman-Users mailing list