[Mailman-Users] DMARC and Reply-To lines with from_is_list munging.

[Stephen J. Turnbull]

Lindsay Haisley writes:

 > A nice fix, albeit probably total pie-in-the-sky, would be the
 > establishment of a MIME Content-Type: multipart/list-post, a variation
 > on (or extension of) mulpart/mixed.  MUAs SHOULD (in the RFC 2119 sense)
 > effectively hide the outermost enclosing MIME envelope with this
 > Content-Type and present the contents according to rules that would
 > apply were the enclosing MIME envelope not there.  As far as the mail
 > system is concerned, the headers on the envelope are the effective ones.
 > As far as the MUA is concerned, for presentation purposes, the envelope
 > content is what counts.

The problem is that the DMARC people don't give a damn about the mail
system (and the PHBs behind the actions at Yahoo and AOL could care
less in both senses, apparently).  They're entirely concerned with
presentation.

And the technicians who designed DMARC are *right* to be concerned
about presentation, because it is presentation that the crooks use to
hook their prey.  In other words, if we come up with a way to present
mail that doesn't bear their signature[1] "as if" it came straight
from one of their domains, that can be abused by the crooks.

When (not if!) that abuse happens, the forces behind DMARC will come
back and say "Ooooohhhh no!  You can't do THAT!"  And they (the PHBs,
I mean) will break the system again ... and again ... and again.

So, unfortunately, I think there is *no* fix based on presentation.
The only real fix is users who are sophisticated enough to avoid
spammers, which can't be perfect (some people just aren't, and
everybody slips occasionally), but can certainly be enhanced by better
filters.

Well, there's that other fix, the one that involves lists as we love
them joining the dinosaurs. :-(

All-hail-Dave-Hayes-and-the-AI-newsreader!-ly y'rs,



Footnotes: 
[1]  Any list that isn't a pure address exploder will be unable to
maintain the signature.