[Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

Stephen J. Turnbull stephen at xemacs.org
Fri May 9 21:01:16 CEST 2014


Lindsay Haisley writes:

 > What goes into an address comment is, or should be, purely
 > informational on a human level, and ignored on a computational
 > level.

Unfortunately, we can't depend on that:

   There are a few possible mechanisms that attempt mitigation of
   [display name] attacks, such as:

   o  If the display name is found to include an email address (as
      specified in [MAIL]), execute the DMARC mechanism on the domain
      name found there rather than the domain name discovered
      originally.

DMARC draft, sec. 15.2.  This is discussion of matters outside the
scope of DMARC itself, not a normative specification, and the document
itself says there are legitimate uses of email addresses in display
names (or comments).  But that hasn't stopped the spam-fighters in the
past; it may not stop them this time.  AFAICS, putting an address from
a DMARC domain anywhere in the mail leaves you subject to a possible
DMARC reject unless you satisfy "from alignment" for that domain
exactly as specified in DMARC.

That's not implemented by anyone now, and may never be.  And
obfuscating the address as in the OP may help, but for my previous
work address that would be

    stephen dot turnbull dot 1 at econ dot ohio-state dot edu

which is 57 characters.  You pays your money and you takes your
choice, I guess.



More information about the Mailman-Users mailing list